[LRUG] Sagepay

Adrian Sevitz adrian at vzaar.com
Thu Mar 22 04:30:22 PDT 2012 

<caveat this with the usual caveats>

There are two levels of PCI. (actually I think their are more, but for this purpose two is enough)

Level 2, is what Spreedly needs to be. That their servers are protected and that the database where the card details are saved is secure. Etc.

Leve 1 is what you need to be. Which basically says you are using a compliant level 2 provider, not storing their details etc etc.

To achieve level 1 PCI compliance you fill out a form once a year with your gateway providers bank of choice (for us I think this is HSBC) and pay £12 or so. It's basically a protection wracked and means nothing. But it is what it is.

The fact user details enter details on your form is mostly irrelevant, unless you store the details. You're only bound by PCI level1 which says "we're just a website, not us guv, everything goes through them"

So IMHO Spreedly is right on this.

(contact me directly if you want me to put you in touch with their CTO who can explain this a lot better than me)


Also all this is mainly out of my foggy memory of doing this a few years ago. But we've been running this way for a while.

Also PCI compliance isn't law. It's part of your agreement with the gateway to process credit cards. I think the main risk of lack of compliance is them withdrawing access to the gateway. It's also less of a big deal at low transaction volume.

</caveat this with the usual caveats>

On 22 Mar 2012, at 11:16, chat-request at lists.lrug.org wrote:

> Message: 7
> From: Riccardo Tacconi <rtacconi at gmail.com>
> 
> So I am using Spreedly Core with Sage Pay as gateway. With Spreedly I have
> created a form where the user enters the card details and then he is sent
> to Spreedly to store the data and he is sent back to my app with token so I
> can do the transaction. Two stakeholders raise an issue because the users
> will enter their card details in a form, and by only doing that it binds us
> to deal with PCI. Spreedly web site says the opposite. I am wondering who
> is right.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20120322/9bad7dc2/attachment.html>

More information about the Chat mailing list