How to make my site PCI compliant

Question

Assuming I decide to use payment gateway and not to use their hosted page, but rather provide my own credit card details form, and then send data to their backend via xml as explained on this page. Then:

1. do I need to worry about PCI compliance? If so what steps (PCI website) should be sorted out by me, my hosting company or payment gateway people
2. I was told as long as my form is on SSL my site would be automatically compliant. Is that right?

Thanks for any help

Answer 1

1) If you're handling credit card information at any time you need to be PCI compliant. You need to sort out coding issues, your host needs to deal with any hardware and software issues with the server, and the payment gateway company has a lot of issues to handle (which is a list too long to list here but you don't need to worry about anyway).

2) No. SSL will help you be PCI compliant but there is more to PCI compliance then how the data is transmitted from the user to the server. What you do with that data and how you do it also come into play. For example, if you are storing credit card information you'll need to be using encryption and not storing values barred from storage by PCI (i.e. CVV numbers). Putting this information in a session counts as storage.

Answer 2

Answer to question 1: Yes you should be worried about PCI compliance all the more.

Answer to question 2: Using SSL form to gather the Credit card information takes care of secure transmission of data from the client to your server. So that is sufficient if you don't plan on store the credit card data on your servers. If you want to store the credit card data then you need to comply with PCI DSS for storage of credit card data.