0

I am working on web application where I will have to receive credit card details but only so that I can pass those details to configured payment processor and receive the card id/token which will be stored.

Usually this is done in front-end via JS request directly to the payment processor that will return nonce and then the backend does its job. But this is not my case.

Even though I will not be storing the CC data I will be technically processing them(the CC data enters the server and my code) so I need PCI certification.

But I am not a large company that can afford that so I want to avoid it, at least for now.

So I am wondering if it would be ok from security and PCI DSS point of view to create a Google Cloud function that would receive the CC data, call the application for validation and payment processor configuration, send the CC data to selected payment processor, post the token back into the application to perform what needs to be performed, and return the result from the application back to the client.

Technically, the CC data only enters the Google Cloud function instance which is certified and the CC data is only safely submitted into the payment processor which is also PCI certified. And I think in this case the Self-Assessment Questionnaire D – Service Providers should be enough without the need for certification.

Is my assumption correct?

John Conde
  • 217,595
  • 99
  • 455
  • 496
  • As of today's date, Cloud Functions is still in beta and is not subject to any SLA. Check whether there is something else from Google that has explicit documentation about PCI DSS and see if it fits your requirements. – Kevin Lee Oct 26 '17 at 05:02
  • Have I mentioned SLA in my question? –  Oct 26 '17 at 06:15
  • You did not, but I mentioned it because it may be related to security which you mentioned. In some places, the use of beta software may be a security issue in and of itself. An SLA may also contain provisions about security, how data is stored etc. – Kevin Lee Oct 26 '17 at 10:06
  • Please don't make more work for people by vandalizing your posts. By posting on the Stack Exchange (SE) network, you've granted a non-revocable right, under the [CC BY-SA 3.0 license](//creativecommons.org/licenses/by-sa/3.0), for SE to distribute that content (i.e. regardless of your future choices). By SE policy, the non-vandalized version of the post is the one which is distributed. Thus, any vandalism will be reverted. – Makyen Sep 07 '18 at 15:27
  • Please do not vandalize your posts by removing the question and putting in jibberish. If you do not want to be associated with this question you need to reach out to the Stack Overflow team and let them know. They can do this for you. – John Conde Sep 07 '18 at 15:27

1 Answers1

0

If you are a service provider, then you need SAQ D for service providers, no matter the setup you're using. Basically if the money that is collected from the credit card goes into someone elses merchant account, then you're a service provider.

SAQ D is the hardest of the SAQs, the difference with 'certification' (there is no certification as such), or RoC, is basically that a trusted body verifies that you've done the SAQ properly. You only need the RoC, which can be in the order of $25K a year, if you process over a certain number of transactions per year.

Yes you should be able to use GCP cloud functions, and that will help with your PCI compliance, but in reality it won't make that much difference regarding the overall effort required to become PCI compliant. You still need to have all the policies and procedures in place, code reviews, SDLC, penetration testing etc etc. It's 139 pages of requirements.

The good news is you don't technically need to be PCI compliant, it's up to the merchant to use PCI compliant providers, and they do that through a contract with you stating their PCI needs. Obviously not the best approach though.

Have a talk with a QSA, it's probably worth a few hundred dollars consulting fees to see if there's anyway around it. If you're doing this as a one off for a single client, it might not be considered service provider for example.

Good luck, and it'd be great to hear what you end up doing.

Richard
  • 1,298
  • 6
  • 17
  • 27