[LRUG] Recurring Payments and subscriptions

Marcus Roberts marcus at marcusr.org.uk
Fri Sep 3 10:21:26 PDT 2010 

My understanding is there's a difference between handing off completely for payment processing, handling details and not storing then, and storing card details.

If you use something like Sagepay forms / Paypal  you don't need PCI compliance.  For handling but not storing, there's a medium level PCI compliance, and for storing there's a full audit PCI compliance.

We run our own server, and so were able to get it PCI certified - this meant passing an automated scan of open ports, software versions, apache headers, etc, and filling in a questionnaire that checked the security policies you implement.  We aren't on a shared server, which I would imagine would be impossible to get PCI compliance for.

We filled in Self Assessment Questionnaire C, which is a shortened version, and the qualifications for that were as follows:

Eligibility to Complete SAQ C
Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because:
Yes	Merchant has a payment application system and an Internet or public network connection on the same device;
Yes	The payment application system/Internet device is not connected to any other system within the merchant environment;
Yes	Merchant does not store cardholder data in electronic format;
Yes	If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically; and
Yes	Merchant's payment application software vendor uses secure techniques to provide remote support to merchant's payment application system.


Marcus

On 3 Sep 2010, at 10:53, Lee Irving wrote:

> Hi Marcus,
> 
> It was my understanding that if you used the direct method then this
> was classed as storing the creditcard numbers as they pass through
> your systems memory  and therefore you got hit by the stricter PCI
> standard. ( having to be hosted on a PCI compliant host etc) You also
> have to be very careful with what goes into your Webserver and
> Application logs.
> 
> I find the whole PCI standard is very confusing and different people
> have different takes on it of what you need to do.
> 
> From what I could tell if you used Sagepay forms then you were ok as
> you did not take the credit card payments locally, Sage handle that on
> their platform and you never take the card details, and it was this
> scenario that meant that you fell under the less strict version.
> 
> I would be glad to be proved wrong on this though.
> 
> On Fri, Sep 3, 2010 at 8:48 AM, Marcus Roberts <marcus at marcusr.org.uk> wrote:
>> 
>> On 3 Sep 2010, at 08:45, Lee Irving wrote:
>> 
>>> As you take credit card numbers on your site how do you comply with PCI?
>>> 
>> 
>> Because we don't store numbers, but just pass them on to SagePay (and then repeat the payment in future against a token they issue for each transaction) we can get validated under the less strict PCI compliance.   We use SecurityMetrics, and found the process cheap and pretty easy to comply with - their scans helped lock our server down completely.
>> 
>> 
>> 
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>> 
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20100903/d4de137c/attachment-0003.html>

More information about the Chat mailing list