[LRUG] Recurring Payments and subscriptions

Lee Irving irvingld at gmail.com
Fri Sep 3 02:53:38 PDT 2010


Hi Marcus,

It was my understanding that if you used the direct method then this
was classed as storing the creditcard numbers as they pass through
your systems memory  and therefore you got hit by the stricter PCI
standard. ( having to be hosted on a PCI compliant host etc) You also
have to be very careful with what goes into your Webserver and
Application logs.

I find the whole PCI standard is very confusing and different people
have different takes on it of what you need to do.

>From what I could tell if you used Sagepay forms then you were ok as
you did not take the credit card payments locally, Sage handle that on
their platform and you never take the card details, and it was this
scenario that meant that you fell under the less strict version.

I would be glad to be proved wrong on this though.

On Fri, Sep 3, 2010 at 8:48 AM, Marcus Roberts <marcus at marcusr.org.uk> wrote:
>
> On 3 Sep 2010, at 08:45, Lee Irving wrote:
>
>> As you take credit card numbers on your site how do you comply with PCI?
>>
>
> Because we don't store numbers, but just pass them on to SagePay (and then repeat the payment in future against a token they issue for each transaction) we can get validated under the less strict PCI compliance.   We use SecurityMetrics, and found the process cheap and pretty easy to comply with - their scans helped lock our server down completely.
>
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>



More information about the Chat mailing list