I'm considering using eWay as payment gateway. They offer two options. One is to to allow users to type in credit card data on eWay hosted website, the other to use my own form and send credit card data via my server to eWays backend. The second option (their page with details) seem more appropriate for me as user would never leave my site and branding would be maintained. Now, I spoke to support and they said that my site will be PCI compliant as long as I use SSL. So basically I can allow users to provide CC numbers on my site and send it to eWays backend via XML. As long as I don't store sensitive data, but transfer only it is ok. Until now I thought as long as CC data hits my server my site needs to be PCI compliant but now I'm not sure. If someone could explain to me how it really is that would be much appreciated.
If your system handles card data then its in scope of PCI and must be PCI compliant.
Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply
http://www.pcicomplianceguide.org/pcifaqs.php
Edit; "eWays" as your gateway provider are Tier 1, and its belholden to them to actually ensure your PCI compliant, so its a bit dodgy of them to palm you of with the SSL spiel.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With