Mobile app version of vmapp.org
Login or Join
Cody1181609

: PCI compliance when using third-party processing My company is outsourcing the development of our new e-commerce site to a third party web development company. The way they set up our site to

@Cody1181609

Posted in: #Ecommerce #PciCompliance #Security

My company is outsourcing the development of our new e-commerce site to a third party web development company. The way they set up our site to handle transactions is by having the user enter the necessary payment info, then passing that data to a third party merchant that processes the payment, then completing the transaction if everything is good.

When the issue of PCI/DSS compliance was raised, they said:


You wont need PCI certification
because the clients browser will send
the sensitive information directly to
the third party merchant when the
transaction is processed.
However, the process will be
transparent to the user because all
interface and displays are controlled
by us.
The only server required to be
compliant is the third party
merchant's because no
sensitive card data ever
touches your server or web app.


Even though I very much so trust and respect the knowledge of our web developers, what they are saying is raising some serious red flags for me.

The way the site is described, I am sure we will not be using a hosted payment page like PayPal or Google Checkout offers (how could we maintain control over UI if we were?) And while my knowledge of e-commerce is laughable at best, it seems like the only other option for us would be to use XML direct to communicate with our third party merchant for processing.

My two questions are as follows:


Based off everything you've read, is "XML Direct" the only option they could conceivably be using, or is there another method I don't know of which they could be implementing?
Most importantly, is it true our site does not need PCI certification? As I understand it, using the XML direct method means that we do have to be PCI/DSS certified, and the only way around getting certified is through a payment hosted page (i.e. PayPal).

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Cody1181609

2 Comments

Sorted by latest first Latest Oldest Best

 

@Odierno851

Unless the page they are entering their CC info on is on a different domain (IE paypal redirect) I would always worry about PCI.

Now, this does not mean you need to meet the PCI level 1 requirements (IE read only database of every transaction kind of stuff), but it does mean you should follow the requirements for level 4. See the Visa requirements as they are the most strict I believe.

This FAQ should also help out so you are better informed.

Level 4 is not a significant cost barrier, so I would always suggest to do that. The majority of the scanning vendors basically just run your IP against a tool like Nessus, but it still helps to CYA in case you get hacked or compromised.

Cheers

10% popularity Vote Up Vote Down


 

@Kevin317

Based off everything you've read, is
"XML Direct" the only option they
could conceivably be using, or is
there another method I don't know of
which they could be implementing?


There are more ways then XML Direct to use a third party for payment. An example of this is Authorize.net's Direct Post Method (DPM). DPM lets you host the payment form so you have total control of that page's look and feel. When the form is submitted it is sent directly to Authorize.Net for processing. When the transaction is complete the users is taken back to your website. You never touch the credit card information but have total control of the look and feel of the entire process.


Most importantly, is it true our site
does not need PCI certification? As I
understand it, using the XML direct
method means that we do have to be
PCI/DSS certified, and the only way
around getting certified is through a
payment hosted page (i.e. PayPal).


If you are accepting payments through your site in some way there are PCI compliance to be aware of. However, most of the tough stuff is handed off to the payment processor. You are left with fewer issues to deal with. So you're not completely absolved of PCI compliance like that developer says but most of it is taken of your hands and what is left is easier to implement.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme