<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">My understanding is there's a difference between handing off completely for payment processing, handling details and not storing then, and storing card details.<div><br></div><div>If you use something like Sagepay forms / Paypal you don't need PCI compliance. For handling but not storing, there's a medium level PCI compliance, and for storing there's a full audit PCI compliance.</div><div><br></div><div>We run our own server, and so were able to get it PCI certified - this meant passing an automated scan of open ports, software versions, apache headers, etc, and filling in a questionnaire that checked the security policies you implement. We aren't on a shared server, which I would imagine would be impossible to get PCI compliance for.</div><div><br></div><div>We filled in Self Assessment Questionnaire C, which is a shortened version, and the qualifications for that were as follows:</div><div><br></div><div><span class="Apple-style-span" style="font-family: verdana; font-size: 11px; line-height: 16px; "><table width="100%" cellpadding="5" cellspacing="0"><tbody><tr><td valign="top" colspan="4" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(215, 215, 215); border-right-color: rgb(215, 215, 215); border-bottom-color: rgb(215, 215, 215); border-left-color: rgb(215, 215, 215); border-top-width: 1px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 8px; padding-bottom: 8px; "><b>Eligibility to Complete SAQ C</b></td></tr><tr><td valign="top" align="left" colspan="4" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; ">Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because:</td></tr><tr><td valign="top" align="center" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; "><input type="checkbox" name="chk_eligibility_0" checked="" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; ">Yes</td><td valign="top" align="left" colspan="3" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; ">Merchant has a payment application system and an Internet or public network connection on the same device;</td></tr><tr><td valign="top" align="center" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; "><input type="checkbox" name="chk_eligibility_1" checked="" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; ">Yes</td><td valign="top" align="left" colspan="3" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; ">The payment application system/Internet device is not connected to any other system within the merchant environment;</td></tr><tr><td valign="top" align="center" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; "><input type="checkbox" name="chk_eligibility_2" checked="" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; ">Yes</td><td valign="top" align="left" colspan="3" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; ">Merchant does not store cardholder data in electronic format;</td></tr><tr><td valign="top" align="center" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; "><input type="checkbox" name="chk_eligibility_3" checked="" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; ">Yes</td><td valign="top" align="left" colspan="3" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; ">If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically; and</td></tr><tr><td valign="top" align="center" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; "><input type="checkbox" name="chk_eligibility_4" checked="" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; ">Yes</td><td valign="top" align="left" colspan="3" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 8.5pt; ">Merchant's payment application software vendor uses secure techniques to provide remote support to merchant's payment application system.</td></tr></tbody></table></span><div><br></div></div><div><br></div><div>Marcus</div><div><br><div><div>On 3 Sep 2010, at 10:53, Lee Irving wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hi Marcus,<br><br>It was my understanding that if you used the direct method then this<br>was classed as storing the creditcard numbers as they pass through<br>your systems memory and therefore you got hit by the stricter PCI<br>standard. ( having to be hosted on a PCI compliant host etc) You also<br>have to be very careful with what goes into your Webserver and<br>Application logs.<br><br>I find the whole PCI standard is very confusing and different people<br>have different takes on it of what you need to do.<br><br>From what I could tell if you used Sagepay forms then you were ok as<br>you did not take the credit card payments locally, Sage handle that on<br>their platform and you never take the card details, and it was this<br>scenario that meant that you fell under the less strict version.<br><br>I would be glad to be proved wrong on this though.<br><br>On Fri, Sep 3, 2010 at 8:48 AM, Marcus Roberts <<a href="mailto:marcus@marcusr.org.uk">marcus@marcusr.org.uk</a>> wrote:<br><blockquote type="cite"><br></blockquote><blockquote type="cite">On 3 Sep 2010, at 08:45, Lee Irving wrote:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">As you take credit card numbers on your site how do you comply with PCI?<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Because we don't store numbers, but just pass them on to SagePay (and then repeat the payment in future against a token they issue for each transaction) we can get validated under the less strict PCI compliance. We use SecurityMetrics, and found the process cheap and pretty easy to comply with - their scans helped lock our server down completely.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">_______________________________________________<br></blockquote><blockquote type="cite">Chat mailing list<br></blockquote><blockquote type="cite"><a href="mailto:Chat@lists.lrug.org">Chat@lists.lrug.org</a><br></blockquote><blockquote type="cite"><a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org">http://lists.lrug.org/listinfo.cgi/chat-lrug.org</a><br></blockquote><blockquote type="cite"><br></blockquote>_______________________________________________<br>Chat mailing list<br><a href="mailto:Chat@lists.lrug.org">Chat@lists.lrug.org</a><br>http://lists.lrug.org/listinfo.cgi/chat-lrug.org<br></div></blockquote></div><br></div></body></html>