3

I'm thinking to build a payment application that will capture the credit card information from the application and use HTTPS POST(3rd party payment gateway) to perform the credit card transaction.

Since this application is capturing the credit card information so do I need to make the application to be PCI compliant? If yes, how to do it?

Thanks.

Water7
  • 495
  • 1
  • 4
  • 9

1 Answers1

2

The answer is YES.

Please refer this link http://www.pcicomplianceguide.org/pcifaqs.php for clarifications.

As per the site

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

nidhin
  • 6,661
  • 6
  • 32
  • 50
  • Due to this is an iPhone application, so the only security issue I can think of is transmit the credit card information by using https. What other security feature I need to include in the iPhone application to make it become PCI compliant? – Water7 Aug 04 '11 at 08:43
  • You need PCI for storing credit card details and not for processing – nidhin Aug 04 '11 at 08:44
  • So can I assume that for the iPhone application just need to call the HTTPS connection to the payment gateway(authorize.net) for the credit card transaction? The iPhone application just capture(user key in or capture by the credit card reader) the credit card details and doesn't store any credit card information in the application. – Water7 Aug 04 '11 at 08:50
  • How about if I go through my web server first before pass the credit card information to the payment gateway? Do the web server need to be PCI compliant? Thanks. – Water7 Aug 04 '11 at 08:59
  • Please refer http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard :) – nidhin Aug 04 '11 at 09:02
  • @Water7 let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/2123/discussion-between-nidhin-and-water7) – nidhin Aug 04 '11 at 09:02
  • From the link(http://www.pcicomplianceguide.org/pcifaqs.php) you provided it say that: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Do that mean I need PCI for capture the credit card information and make a HTTPS POST to the payment gateway? Thanks. – Water7 Aug 05 '11 at 04:41