1

I am trying to determine a PCI compliant way to pass on a Credit Card number to the payment API. One of the most obvious ways I can think of is to create a local variable to accept the CC# from the user, pass on to the API and then destroy the variable.

After that, I will store the tokenized information for that customer, which does not have PCI burden. My hosting is SSL and PCI Compliant.

Any suggestions on what is a safe way to "accept" the CC# in order to "transmit" it on to the API? (PS: A gateway like Braintree or stripe is not a solution for me...due to a multitude of reasons which are probably better suited for a discussion only post later!)

Vivek Sinha
  • 197
  • 1
  • 7
  • Not sure what you mean by "save", but obviously temporarily holding CC data in variables is allowed. How else could you possibly do it? But as mentioned, it does put your system "in scope" where outsourcing it completely might not. – John Hascall Apr 04 '17 at 01:32
  • "How else could you possibly do it?" : There is a well established way to do it other than saving the variables, called "Direct Post" or "Form Post". But, yes, storing CC even for a moment does put one's solution "in scope" for PCI Compliance. – Vivek Sinha Jun 13 '17 at 00:26
  • I would argue that those are examples of "outsourcing it completely". – John Hascall Jun 13 '17 at 10:11

1 Answers1

1

If that credit card information ever hits your system you fall within PCI scope. You would need to use a form which submits directly to the payment gateway to avoid falling within PCI scope.

Authorize.Net offers a few examples of this including SIM, Direct Post Method, Accept Hosted, and Accept.js. You will need to check to see if the payment gateway you are using offers similar functionality.

John Conde
  • 217,595
  • 99
  • 455
  • 496
  • Thanks for your to the point answer! My processor doesn't offer any hosted fields for in-app payments. They only offer a Hosted Payments Page (an iframe) which works great with webapps but becomes fairly unreliable in iOS and Android. (the technical folks over at that processor mentioned that I will need to leverage SignalR library to accomplish this, both in-app and in website. In the website, the implementation is easy because there are standard SignalR library that is maintained by Microsoft but for in-app, the SignalR library is a community resource and is not well maintained) – Vivek Sinha Apr 04 '17 at 17:17
  • I am thinking of asking the processor to do one of the following: 1. If they can host the fields individually (rather than together in an iframe). 2)If they can create a CC# field on their server (instead of ours) and we just post data to it...similar to Direct Post Method – Vivek Sinha Apr 04 '17 at 17:18