1

Apologies in advance as this question has been asked many times. This is my first time working with PCI and I have no idea where to start from. I have done a lot of reading but haven't managed to grasp the process.

I have also gone through all of them and I am getting conflicting response and I hope that someone will be able to guide me in the right direction.

I am working on a simple offsite checkout page that will accept payments and then redirect users back to where they came from. The page is built using Zend Framework 1.12 and I use PayPal Website Payments pro (with REST API) to process card payments.

Using the payment gateway users will be able to make payments on site or by going to PayPal's website. Only card number in xxxx-xxxx-xxxx-1111 format, card name and expiry date is stored. The merchant level will be Level 4.

My questions are:

  1. Can I make a VPS PCI compliant? (Got conflicting answers about this)
  2. What SSL certificate should I install (SSL or TLS)?
  3. And I am thinking of buying a scanning service and fixing the vulnerabilities highlighted in the report. Will I have to do anything else? (Most other requirements like network, firewall will be handled by VPS provider)
  4. Do I have to submit any documents to PCI or anyone else informing them of my status?
  5. If I don't use onsite payments. For instance redirect them to PayPal's website don't have to worry about PCI right?

Apologies again as this is a basic question but I am really confused and will appreciate your help.

user5071535
  • 1,312
  • 8
  • 25
  • 42
Jay Bhatt
  • 5,601
  • 5
  • 40
  • 62
  • 5. As far as I'm aware, if you store details, PCI compliance **is** needed. – Darren Nov 11 '15 at 02:31
  • @Darren Thanks for the response. From other questions I came to know that it is also needed, if you are not storing any data and just transmitting data as well. – Jay Bhatt Nov 11 '15 at 09:17
  • I'm voting to close this question as off-topic because this question is primarily about regulatory compliance, not computer programming. It touches somewhat on system administration, and some components (*but not all!*) of the question may be more appropriate on Server Fault. –  Nov 14 '15 at 01:50
  • Do not use SSL, SSL is virtually defunct and should absolutely not be used. SSL 2 is deprecated and there are various issues with SSL 3 and numerous attack paths, so use TLS, while the overall architecture is still called "SSL", everyone is actually using TLS. You want TLS 1.2 as a minimum, See https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack – Martin Nov 14 '15 at 12:34
  • It'd be great to hear what you ended up doing, if you're willing to share. – Richard Dec 06 '15 at 13:47

1 Answers1

2

Only a QSA can give you definitive answers to your questions, but I can let you know my understanding of the PCI requirements.

If you plan to use an API then you would open your scope to a minimum of SAQ A-EP, and if CC data touches your server then it's likely you'd need to complete a SAQ D. You really want to avoid that if you can. Can you not use an iFrame or redirect? If so you may be able to get away with SAQ A which is going to help a LOT. I'm not sure what Paypal offers but Braintree has a sweet iframe solution which may connect to Paypal or you could use a service like Spreedly.

  1. Yes you can use a VPS, use a PCI compliant provider like AWS or Google Cloud. Use their compliance to reduce your PCI scope.

  2. V3.1 of the PCI requirements say you can't use SSL v3 or less, so TLS is the way to go, not sure why you'd use an old version if it's a new build. TLS is basically the new version of SSL if that is not clear.

  3. If you qualify for SAQ A then you might not need scans, though it's still a good idea to do it. If you don't qualify for SAQ A then you a responsible for firewalls etc even using a PCI compliant VPS, it becomes a slippery slope and best avoided.

  4. Who is requiring you to PCI compliant? PCI is only contractual (best to double check this though), generally the merchant bank will have you sign an agreement saying you need to be PCI compliant and they or may or may not check that is the case. If you do an SAQ you don't need to submit it to anyone, only people that ask for it (like the bank), you'll want to keep and update a copy of the PCI compliance of your providers also (like a VPS provider).

  5. If credit cards are involved in anyway then you almost certainly need PCI, your best hope is SAQ A, it seems pretty much everyone ignores this but you're the one taking the risk if things go wrong, any fines etc will be passed on to you (again this depends to what terms you've agreed to).

Check out the PCI council website, there are guides for ecommerce websites and all the SAQ forms etc. Good luck!

Richard
  • 1,298
  • 6
  • 17
  • 27