-1

I have a server and a client application which runs in a web browser.

I know it is better to make client do the request directly to the payment processor (by what's called a payment page)

Having said that, I would like to know if it is considered OK in terms of security and PCI, to send the CC information to the server via encrypted HTTPS transportaion and the server will send the data to the payment processor without saving the CC information

I am using ruby on rails for the server side and a gem called ActiveMerchant with another gateway support gem and I could find a way to do the payment from the client directly to the payment processor. It seems that request should pass through the my server anyway.

yanivps
  • 1,993
  • 3
  • 25
  • 33

1 Answers1

0

This is most likely not okay, since the credit card data is still unencrypted in transit (from SSL termination to your rails server) and might show up in server logs (obviously unencrypted) as well.

The payment provider we use, offers CSE (client-side encryption), which encrypts raw credit card data on the client such that it never travels as raw/readable data through our server. The encryption is asymetric and the encryption key is only available to the payment gateway making it impossible for our backend servers to ever read that data.

hupfis
  • 128
  • 7