[LRUG] Sagepay

Daniel Barlow dan at telent.net
Wed Mar 21 06:52:38 PDT 2012


On Wed, Mar 21, 2012 at 12:32 PM, Steve Tooke <steve.tooke at gmail.com> wrote:

> I seem to remember there being problems using the SagePay server option
> with ActiveMerchant. This is because you have to redirect to the sagepay
> servers to take the actual card details, avoiding PCI compliance issues.
>

I seem to remember the same thing but don't know the details. But I feel
compelled to add that you're not actually *avoiding* PCI issues by using
Server, you're just minimising them.  You will still need to complete the
self-assessment form, it's just that it gets a lot simpler because you may
be able to use one of the shorter versions.

In particular, if you have a staff-facing backend for placing orders on
behalf of customers (perhaps you have telephone sales or bricks&mortar
outlets that you want to put through the system) you need to look at that
code - and the systems used to access it - carefully, because at least
according to my reading of the standard even the thin clients talking to
your web-based ordering system are inside scope if there are employees
using them. After all, they might have keyloggers attached


-dan

-- 
dan at telent.net
http://ww.telent.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20120321/8dd2fdd0/attachment-0003.html>


More information about the Chat mailing list