[LRUG] Recurring Payments and subscriptions
Lee Irving
irvingld at gmail.com
Fri Sep 3 11:09:49 PDT 2010
Thanks for that marcus
Sent from my iPhone
On 3 Sep 2010, at 18:21, Marcus Roberts <marcus at marcusr.org.uk> wrote:
> My understanding is there's a difference between handing off completely for payment processing, handling details and not storing then, and storing card details.
>
> If you use something like Sagepay forms / Paypal you don't need PCI compliance. For handling but not storing, there's a medium level PCI compliance, and for storing there's a full audit PCI compliance.
>
> We run our own server, and so were able to get it PCI certified - this meant passing an automated scan of open ports, software versions, apache headers, etc, and filling in a questionnaire that checked the security policies you implement. We aren't on a shared server, which I would imagine would be impossible to get PCI compliance for.
>
> We filled in Self Assessment Questionnaire C, which is a shortened version, and the qualifications for that were as follows:
>
> Eligibility to Complete SAQ C
> Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because:
> Yes Merchant has a payment application system and an Internet or public network connection on the same device;
> Yes The payment application system/Internet device is not connected to any other system within the merchant environment;
> Yes Merchant does not store cardholder data in electronic format;
> Yes If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically; and
> Yes Merchant's payment application software vendor uses secure techniques to provide remote support to merchant's payment application system.
>
>
> Marcus
>
> On 3 Sep 2010, at 10:53, Lee Irving wrote:
>
>> Hi Marcus,
>>
>> It was my understanding that if you used the direct method then this
>> was classed as storing the creditcard numbers as they pass through
>> your systems memory and therefore you got hit by the stricter PCI
>> standard. ( having to be hosted on a PCI compliant host etc) You also
>> have to be very careful with what goes into your Webserver and
>> Application logs.
>>
>> I find the whole PCI standard is very confusing and different people
>> have different takes on it of what you need to do.
>>
>> From what I could tell if you used Sagepay forms then you were ok as
>> you did not take the credit card payments locally, Sage handle that on
>> their platform and you never take the card details, and it was this
>> scenario that meant that you fell under the less strict version.
>>
>> I would be glad to be proved wrong on this though.
>>
>> On Fri, Sep 3, 2010 at 8:48 AM, Marcus Roberts <marcus at marcusr.org.uk> wrote:
>>>
>>> On 3 Sep 2010, at 08:45, Lee Irving wrote:
>>>
>>>> As you take credit card numbers on your site how do you comply with PCI?
>>>>
>>>
>>> Because we don't store numbers, but just pass them on to SagePay (and then repeat the payment in future against a token they issue for each transaction) we can get validated under the less strict PCI compliance. We use SecurityMetrics, and found the process cheap and pretty easy to comply with - their scans helped lock our server down completely.
>>>
>>>
>>>
>>> _______________________________________________
>>> Chat mailing list
>>> Chat at lists.lrug.org
>>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>>
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20100903/08c77018/attachment-0003.html>
More information about the Chat
mailing list