Menu
Network segmentation is an effective way to reduce the scope of a PCI-DSS assessment. The storage processing and transmission of payment card data may only occur on a small number of systems within a validating entity's internal network environment.
PCI REQUIREMENT 1: Install and Maintain Network Security Controls. PCI REQUIREMENT 2: Apply Secure Configurations to All System Components. Protect Account Data Maintain a Vulnerability Management Program. PCI REQUIREMENT 3: Protect Stored Account Data.
There are three ongoing steps for adhering to the PCI DSS: Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
Any business that transmits, stores, handles, or accepts credit card data — regardless of size or processing volume — must comply with the PCI DSS Standards. If you only process three credit card transactions a month, you must comply with PCI standards.
I have a shopping cart flow like this:
Page 4. Receipt page
Repeat billing is a requirement for later, with variable amounts and schedules. (The user must be able to come back and change their schedule without entering CC number again).
Here's what I dont want to do :
Since I need a confirmation page I think I will need to use some kind of tokenization system such as offered by braintreepayments. You basically store the credit card number on their service and they give you back a token that represents that number. You can then make a charge against that card at any time for any amount. This certainly seems the most flexible solution.
I'm kind of going round in circles trying to figure out if this is the best solution or not :
The 'purest' safest approach seems to be to redirect to braintree (or someone else that offers a similar gateway).
Edit (after assigning bounty):
I've concluded that I absolutely have to have a system where we only need to meet level A for PCI. Been studying PCI in more detail and these questionnaires are the relevant ones for card-not-present merchants (i.e. e-commerce).
SAQ A : (when CC numbers don't even touch our server). You still have to fill out this questionnaire if you're selling online, but it is pretty easy.
SAQ D : (where CC numbers touch our server EVEN IF WE DONT STORE THEM)
Take a look at these questionnaires reveals a huge delta between requirements. The PCI requirments are often misrepresented as being a simple list such as 'maintain a firewall', 'security policy', 'limit physical access' - but if you actually read questionnaire D you'll see it has order of magnitute more questions and requirments. For instance you have to answer whether or not your server is protected by a video camera, and what kind of data encryption you have on your server.
I'd really appreciate knowing what actual products or providers out there that will facilitate me doing what I want to do. If there really is only 1 or 2 companies out there that let me do this then I need to know.
I've got no relationship to Braintree except I've managed to get on their email marketing list. They're just the only company I've managed to find that does this. If you are running another company doing the same then by all means blow your own trumpet. PCI requirements are only going to become more stringent over time and anyone who has got this far reading my question probably already realizes that.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With