[LRUG] Recurring Payments and subscriptions

Fri Sep 3 11:09:49 PDT 2010

Thanks for that marcus 

Sent from my iPhone

On 3 Sep 2010, at 18:21, Marcus Roberts <marcus at marcusr.org.uk> wrote:

> My understanding is there's a difference between handing off completely for payment processing, handling details and not storing then, and storing card details.
> 
> If you use something like Sagepay forms / Paypal  you don't need PCI compliance.  For handling but not storing, there's a medium level PCI compliance, and for storing there's a full audit PCI compliance.
> 
> We run our own server, and so were able to get it PCI certified - this meant passing an automated scan of open ports, software versions, apache headers, etc, and filling in a questionnaire that checked the security policies you implement.  We aren't on a shared server, which I would imagine would be impossible to get PCI compliance for.
> 
> We filled in Self Assessment Questionnaire C, which is a shortened version, and the qualifications for that were as follows:
> 
> Eligibility to Complete SAQ C
> Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because:
> Yes	Merchant has a payment application system and an Internet or public network connection on the same device;
> Yes	The payment application system/Internet device is not connected to any other system within the merchant environment;
> Yes	Merchant does not store cardholder data in electronic format;
> Yes	If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically; and
> Yes	Merchant's payment application software vendor uses secure techniques to provide remote support to merchant's payment application system.
> 
> 
> Marcus
> 
> On 3 Sep 2010, at 10:53, Lee Irving wrote:
> 
>> Hi Marcus,
>> 
>> It was my understanding that if you used the direct method then this
>> was classed as storing the creditcard numbers as they pass through
>> your systems memory  and therefore you got hit by the stricter PCI
>> standard. ( having to be hosted on a PCI compliant host etc) You also
>> have to be very careful with what goes into your Webserver and
>> Application logs.
>> 
>> I find the whole PCI standard is very confusing and different people
>> have different takes on it of what you need to do.
>> 
>> From what I could tell if you used Sagepay forms then you were ok as
>> you did not take the credit card payments locally, Sage handle that on
>> their platform and you never take the card details, and it was this
>> scenario that meant that you fell under the less strict version.
>> 
>> I would be glad to be proved wrong on this though.
>> 
>> On Fri, Sep 3, 2010 at 8:48 AM, Marcus Roberts <marcus at marcusr.org.uk> wrote:
>>> 
>>> On 3 Sep 2010, at 08:45, Lee Irving wrote:
>>> 
>>>> As you take credit card numbers on your site how do you comply with PCI?
>>>> 
>>> 
>>> Because we don't store numbers, but just pass them on to SagePay (and then repeat the payment in future against a token they issue for each transaction) we can get validated under the less strict PCI compliance.   We use SecurityMetrics, and found the process cheap and pretty easy to comply with - their scans helped lock our server down completely.
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Chat mailing list
>>> Chat at lists.lrug.org
>>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>> 
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
> 
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20100903/08c77018/attachment-0003.html>