1

My company has a website/service that stores/processes credit cards and is PCI compliant (Site A). We also have websites with storefronts that need to submit credit card data to that site for processing (Site B). When someone orders something on Site B, and enters their billing information, how do I submit that information to Site A and remain PCI compliant?

Obviously they're on a secure page on Site B, when they are entering their billing details.

Can I just post the form to a secure page on Site A from a secure page on Site B? Do I need to encrypt the credit card during this transaction? Obviously it is stored in some sort of encrypted state, but does it need to be encrypted during the submit transaction?

Do I need to setup some sort of handshake between the websites, like a secret key? If so, what would be a secure way to create that key/handshake?

We've been reading and reading about PCI compliance trying to find concrete answers, but it seems kindof subjective, and obscure what we are supposed to be doing.

Mike McLin
  • 3,627
  • 7
  • 41
  • 49
  • Better suited for [security.stackexchange.com](http://security.stackexchange.com). – jweyrich Apr 14 '11 at 18:38
  • Thanks. So many new exchanges keep popping up, it's hard for me to keep track. I'll post over there. – Mike McLin Apr 14 '11 at 18:39
  • Question is posted on security.stackexchange.com here: http://security.stackexchange.com/questions/3093/how-to-submit-credit-card-info-to-a-separate-server-website-pci – Gavin Miller Apr 14 '11 at 18:53

2 Answers2

0

Site B is in your PCI scope as long as the CC data are there even for a nanosecond.

If you want them out, think of a way of bringing up a secure page from A when paying, and then notify B only about the result, with no CC details disclosed.

ptrk
  • 1,800
  • 1
  • 15
  • 24
0

In short the PCI-DSS states that credit card information must never be in plain text. That being said you should whip up your own protocol for this. HTTPS is a great solution.

rook
  • 66,304
  • 38
  • 162
  • 239