[LRUG] Sagepay

Riccardo Tacconi rtacconi at gmail.com
Thu Mar 22 04:33:36 PDT 2012


Great thank you

On 22 March 2012 12:30, Adrian Sevitz <adrian at vzaar.com> wrote:

> <caveat this with the usual caveats>
>
> There are two levels of PCI. (actually I think their are more, but for
> this purpose two is enough)
>
> Level 2, is what Spreedly needs to be. That their servers are protected
> and that the database where the card details are saved is secure. Etc.
>
> Leve 1 is what you need to be. Which basically says you are using a
> compliant level 2 provider, not storing their details etc etc.
>
> To achieve level 1 PCI compliance you fill out a form once a year with
> your gateway providers bank of choice (for us I think this is HSBC) and pay
> £12 or so. It's basically a protection wracked and means nothing. But it is
> what it is.
>
> The fact user details enter details on your form is mostly irrelevant,
> unless you store the details. You're only bound by PCI level1 which says
> "we're just a website, not us guv, everything goes through them"
>
> So IMHO Spreedly is right on this.
>
> (contact me directly if you want me to put you in touch with their CTO who
> can explain this a lot better than me)
>
>
> Also all this is mainly out of my foggy memory of doing this a few years
> ago. But we've been running this way for a while.
>
> Also PCI compliance isn't law. It's part of your agreement with the
> gateway to process credit cards. I think the main risk of lack of
> compliance is them withdrawing access to the gateway. It's also less of a
> big deal at low transaction volume.
>
> </caveat this with the usual caveats>
>
> On 22 Mar 2012, at 11:16, chat-request at lists.lrug.org wrote:
>
> Message: 7
> From: Riccardo Tacconi <rtacconi at gmail.com>
>
>
> So I am using Spreedly Core with Sage Pay as gateway. With Spreedly I have
> created a form where the user enters the card details and then he is sent
> to Spreedly to store the data and he is sent back to my app with token so I
> can do the transaction. Two stakeholders raise an issue because the users
> will enter their card details in a form, and by only doing that it binds us
> to deal with PCI. Spreedly web site says the opposite. I am wondering who
> is right.
>
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>


-- 
Riccardo Tacconi
Ruby on Rails and PHP development - System Administration
VIRTUELOGIC LIMITED

http://github.com/rtacconi
http://riccardotacconi.blogspot.com
http://twitter.com/rtacconi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20120322/22c7c59a/attachment-0003.html>


More information about the Chat mailing list