2

I'm building a new web application that serves a form requesting the user's card information. Submitting this form will post the form data to a different, fully PCI-DSS compliant application.

Does the application that serves the form to users need to be PCI-DSS compliant also, even if I don't read card information in that application?

As far as my brief googling session has shown, it seems that PCI-DSS compliance is required in any application that "handles" card information. I'm not entirely sure where "handling" that information begins and ends.

Herrad
  • 63
  • 1
  • 6

2 Answers2

4

PCI/DSS was updated in 2014 (with requirements that became mandatory in Jan 2015) to deal with services mechanisms like that used by stripe in the form of a more stringent self assessment questionnaire (SAQ A-EP V3) which is described as:

New SAQ to address requirements applicable to e-commerce merchants with a websites that do not themselves receive cardholder data but which do affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data. Content aligns with PCI DSS v3.0 requirements and testing procedures.

This makes it clear that compliancy is required.

Alex K.
  • 171,639
  • 30
  • 264
  • 288
0

Your use case sounds similar to Stripe's, and they say you'd need to use SSL on your page but otherwise can self-attest to compliance.

https://support.stripe.com/questions/do-i-need-to-be-pci-compliant-what-do-i-have-to-do

You may want to consult an auditor and get a formal opinion from them, though.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368