7

I'm considering using eWay as payment gateway. They offer two options. One is to to allow users to type in credit card data on eWay hosted website, the other to use my own form and send credit card data via my server to eWays backend. The second option (their page with details) seem more appropriate for me as user would never leave my site and branding would be maintained. Now, I spoke to support and they said that my site will be PCI compliant as long as I use SSL. So basically I can allow users to provide CC numbers on my site and send it to eWays backend via XML. As long as I don't store sensitive data, but transfer only it is ok. Until now I thought as long as CC data hits my server my site needs to be PCI compliant but now I'm not sure. If someone could explain to me how it really is that would be much appreciated.

spirytus
  • 10,726
  • 14
  • 61
  • 75

4 Answers4

10

It seems like you have received a lot of conflicting answers. I work in a payments company and have undergone a Level 1 Service Provider audit, and I deal with merchants and their PCI requirements daily, so I think I can help clear this up for you.

The reality is that you do have to be PCI compliant if you accept credit cards, even if you outsource ALL of the cardholder data functions. The trick is that the standard you have to meet is far less restrictive than the standard the payment gateway has to meet--but this does not mean "PCI does not apply". You don't have to deal with the really tough network security requirements, but there are aspects of the PCI DSS that you have to comply with, and you are required to do a self assessment audit annually. `

For details on what part of the DSS you must deal with, go to pcisecuritystandards.org and look at SAQ Validation Type 1 (Questionnaire A). This will tell you exactly what parts of the PCI DSS you must implement as a merchant with all cardholder functions outsourced.

Hope this helps clear things up for you!

Law29
  • 637
  • 1
  • 10
  • 16
MikeH
  • 796
  • 7
  • 18
  • Thanks Mike :) Isnt that true that I need to got thru SAQ Validation Type 1 (Qeust. A) only if I retain paper reports or receipts with cardholder data? If I don't have that, nor transmit/store any of this data I don't need to bother with PCI compliance in any form right? – spirytus Jul 30 '10 at 00:04
  • You would still have to do a self-assessment using Questionnaire A, but the first part of it will mostly be marked as N/A for you. The parts under "Information Security Policy" still apply. Even if you never have to show the self-assessment to anyone, I would still recommend doing it and making sure that the IS security policy requirements are met--that way you never have to worry if your processor has a security breach because you satisfied your PCI-DSS requirements and can avoid any fines that might be assessed by Visa. IMHO, it's just a "better safe than sorry" kind of thing. – MikeH Jul 30 '10 at 20:02
  • Hey Mike, we are working on a project, we are accepting user payment with Braintree payment gateway with their Drop-in UI, we do not store credit card numbers on our database. Do we still have to be PCI compliant? and one more thing, what If we store only bank details like bank 'account number', 'account title' etc, in this case, do PCI DSS requirements apply or not. https://stackoverflow.com/questions/54665191/can-i-store-user-bank-details-without-pci-compliance – Basit Feb 13 '19 at 08:23
  • The correct link is now https://www.pcisecuritystandards.org/pci_security/completing_self_assessment but the suggested edit queue is full so I can't make the change. – Law29 Sep 09 '21 at 18:46
9

If your system handles card data then its in scope of PCI and must be PCI compliant.

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply

http://www.pcicomplianceguide.org/pcifaqs.php

Edit; "eWays" as your gateway provider are Tier 1, and its belholden to them to actually ensure your PCI compliant, so its a bit dodgy of them to palm you of with the SSL spiel.

Alex K.
  • 171,639
  • 30
  • 264
  • 288
  • If we store only band details like bank 'account number' , 'account title' etc , in this case PCI DSS requirements apply or not @Alex K. my posted question below https://stackoverflow.com/questions/54665191/can-i-store-user-bank-details-without-pci-compliance – Basit Feb 13 '19 at 08:07
2

In short, if you are accepting payments (even if you fully outsource them), you need to be PCI compliant. The biggest factor in determining how many security controls you need to meet is the type of payment gateway you are using.

I helped author a white paper for the Drupal community, but the concepts apply across the board. I highly recommend reading it. And if you have any feedback, please file an issue in the github issue queue.

rickmaneluis
  • 481
  • 4
  • 5
1

We recently implemented credit card transactions for an ecommerce site using another payment gateway provider. This is what we learnt about PCI DSS compliance.

  1. If your business requirement is storage of customer information with their Credit card information then your server and network around it should be PCI compliant
  2. However if storing customer information with Credit card data is not a critical requirement, then your use the ssl form the payment gateway provider. They should provide means to customize the form so that you can brand it to reflect your company.

Detailed PCI DSS requirements are found at this link PCI Data Security Standards

inlokesh
  • 413
  • 1
  • 8
  • 22
  • Now thats what gets me confused.. till now I was fairly confident that even if I don't store CC information, but transfer only still have to make my site PCI compliant. Thats quite opposite what you saying though, so what is the truth? :) – spirytus Jul 14 '10 at 23:35
  • If credit card data never physically hits your server (including RAM due to a form post) then PCI-DSS does not apply. PCI data standards covers your network security, operating system patches and so on. Because they want to ensure sensitive card data is secured from any misuse, during network transmission (covered by using SSL), or storage (covered by encryption). In your case you need to make sure if the card data is securely transmitted to the payment gateway after the transaction (SSL) use your payment gateway's default ssl form. – inlokesh Jul 16 '10 at 08:54
  • @inlokesh: PCI applies at some level to any merchant processing cards. It's just a hell of a lot easier to pass if you can say "no cards touch our system, it's done by payment gateway X". – WW. Jun 17 '12 at 10:54