[LRUG] Sagepay
Daniel Barlow
dan at telent.net
Wed Mar 21 06:52:38 PDT 2012
On Wed, Mar 21, 2012 at 12:32 PM, Steve Tooke <steve.tooke at gmail.com> wrote:
> I seem to remember there being problems using the SagePay server option
> with ActiveMerchant. This is because you have to redirect to the sagepay
> servers to take the actual card details, avoiding PCI compliance issues.
>
I seem to remember the same thing but don't know the details. But I feel
compelled to add that you're not actually *avoiding* PCI issues by using
Server, you're just minimising them. You will still need to complete the
self-assessment form, it's just that it gets a lot simpler because you may
be able to use one of the shorter versions.
In particular, if you have a staff-facing backend for placing orders on
behalf of customers (perhaps you have telephone sales or bricks&mortar
outlets that you want to put through the system) you need to look at that
code - and the systems used to access it - carefully, because at least
according to my reading of the standard even the thin clients talking to
your web-based ordering system are inside scope if there are employees
using them. After all, they might have keyloggers attached
-dan
--
dan at telent.net
http://ww.telent.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20120321/8dd2fdd0/attachment-0003.html>
More information about the Chat
mailing list