0

I'm a Freelance developer creating a site for a start-up company. Getting PCI compliant at this time is going to be tough, since the site is still in major development and the funds are quite short.

The situation is this: They want to accept payments on demand in a fast and easy way. This is going to involve punching an id followed by a PIN into a virtual pinpad. This should process the transaction, charge the card, and be done. Because we are not currently PCI compliant, I would like the security to be as follows: User, in Account Management, can click a link to redirect to the third-party payment processor (We are currently using Authorize.Net). On this page, the user enters their card information followed by email/some form of ID. Their card is saved through this third-party, and the third-party sends us their ID for the user as long as the user email (Or whichever identification used on our end). Now, when the user wants to create a transaction, we send the User ID, our API Key, and the transaction Key used by the third-party as well as the amount to charge. They charge the account and all is good.

Anybody have experience in this? Is this possible? Other solutions are welcome. Again, the company is slightly low on funds, and the transactions are usually going to be ~$10. They are currently working through 100% cash right now and averaging about 30 transactions a day, which is expected to increase drastically over the summer.

Rockster160
  • 1,579
  • 1
  • 15
  • 30
  • 1
    Sounds about right. We did the same thing when using Paypal, and pushed the PCI compliance to them. The part where they send you the user ID (you should make up a transaction ID, and have the 3rd party return that instead), to tell you that the charge went through, is called a "callback" in general, and a "webhook" when they send it to you by calling a URL on your side. – Satya Feb 28 '15 at 05:44
  • Check out stripe.com. This is exactly the sort of service they provide. There are others (braintree, etc.) but stripe is the popular kid on the block right now. – Philip Hallstrom Feb 28 '15 at 17:59

1 Answers1

0

Unfortunately, with the new DSS 3.1, you may still need to perform a SAQ A-EP. Part of the requirements for the SAQ A-EP are:

Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor

Even though your site never takes or processes credit card data, since your site does perform a redirect, that redirect could be changed to point to a malicious site.

Further information can be found in the SAQ A-EP.

FordPre
  • 58
  • 5