0

Ok, so I have setup a Docusign Connect to a 3rd party application (Infusionsoft) and have it working great.

They don't natively work together, so I created a php script that reads the tabs in the docusign envelope, and passes it to Infusionsoft, along with a copy of the completed envelope itself.

Now I would like to pass payment info through this as well, as one of the document templates I have in Docusign is a billing agreement. I have done a test run of this with dummy info and I am able to do this well, BUT, I now have to be concerned with PCI compliance on this, right?

I have a dedicated server with a domain that has an SSL certificate which is hosting the php script, which does not store any information. It just passes the docusign info (gathered by using the docusign connect) and then formats it so it can be accepted by Infusionsoft.

I am a novice programmer, and pretty ignorant regarding knowledge behind encrypting data or securing a connection. The fact that Docusign passes the info through an XML file seems to be not ideal for handling sensitive data (at least I would imagine), and that is something that is out of my control.

So what I am asking is would it be possible to securely transmit payment info (credit card or bank account) through a Docusign connect connection in the type of setup I have? If so, how would I approach it? I am open to hiring a programmer if needed or getting a different server setup if it was necessary.

I can do this without adding the payment info to the template, and just adding it afterwards directly into Infusionsoft to limit my liability, but it would be so much easier if I could do it directly through Docusign Connect as it would automate the entire sign up process.

David Avellan
  • 385
  • 4
  • 24
  • way to many unknowns to answer this. you seem to be using a weird suite of software here. –  Apr 07 '15 at 23:35
  • 2
    This is a regulatory compliance question; it doesn't involve any programming. It's off-topic for Stack Overflow. Contact your legal department and/or PCI auditor. –  Apr 07 '15 at 23:40
  • Sorry if this seems off topic, but the Docusign staff has recommended me to post questions regarding Docusign Connect and API here in the past, as they don't provide official support for that on their website, so I thought I would ask here. – David Avellan Apr 08 '15 at 00:30
  • why Docusign and why Infusionsoft ? –  Apr 08 '15 at 01:22
  • 2
    Dagon - Docusign is an esigning application that I use for my membership agreements at my business. A customer can sign a legal document online, which allows me to be paperless and have all my data online. Advantageous for organization and reducing file cabinet space. Also, it allows for the ability to export fields in the document that is being signed, such as billing info, contact info, etc to be passed into another application. – David Avellan Apr 08 '15 at 02:15
  • Infusionsoft is a CRM that I use to manage my business. It stores all my contact and billing information, and does my marketing as well. It has a lot of powerful automation features that I use. So My php script is just passing the info from Docusign to Infusionsoft. – David Avellan Apr 08 '15 at 02:19
  • Update on this. Spoke with my hosting company (hostgator) and after speaking with several reps they wouldn't give me an answer because then they would be liable for the answer. I asked for a hypothetical answer but he wouldn't even do that. I tried. lol! Going through their site, it says that all of their dedicated servers (which I have) are PCI compliant by default. However, alteration could be made that would change that. I found a link to comodo (who I have SSL certificate with), and signed up for a free online PCI compliance scan, which is currently scanning my hosting domains IP. – David Avellan Apr 08 '15 at 18:16

1 Answers1

3

Well Comodo's test turned up a bunch of holes and warnings, with a detailed report of what to fix. I took that in turn to Hostgator support, who went ahead and made the appropriate changes to fix the holes. The also reported that their were a bunch of false positives with supporting documentation.

So I have to do another test to verify that everything was closed up and report the false positives. But other than that it seems like it should all be cleared up.

I also spoke with Docusign Support over the phone about this, and they confirmed other companies are doing what I am doing as well, which was reassuring.

So in short, use Comodos online scan tool to see what holes you have. Then contact your hosting company to fix the holes. Not a great answer, but I suppose better than nothing.

David Avellan
  • 385
  • 4
  • 24