General PCI Compliance

[bdacus01]

All:

Looking for direction.

Are any of the current merchant gateways PCI compliant? Without my server "being" compliant?

I ask because a competitor claims their Stripe Checkout module is PCI compliant.

From reading posts here from 2014. Your Stripe gateway is not compliant.  Which requires my server and process to be compliant.

I viewed the enhcement you all have on file since 2014.  Looks to be no movement..  

However it could be irrelevant because PCI rules my have changed which requires all sellers to have a PCI compliant system. In which case I would only be able to use PayPal..

I would like to use Stripe but could be a pain I don't need currently   

 

thoughts??

[River]

Essentially, anything that requires users to type in their CC details on your site would require you to be PCI compliant.

Anything that redirects to the gateway, then back to your site when complete, and doesn't have any data on your server or entered on your site - it would be the gateway's responsibility.

 

So - when paypal goes YourSite > paypal checkout > yoursite, they are PCI compliant, in turn you're compliant.

If stripe does that, and redirects to their servers, then you're good. If you're sending CC details to stripe, then the burden is on you.

 

Hope that makes sense. That's my understanding of it.

[Nelsa]

4 hours ago, River said:

Essentially, anything that requires users to type in their CC details on your site would require you to be PCI compliant.

Anything that redirects to the gateway, then back to your site when complete, and doesn't have any data on your server or entered on your site - it would be the gateway's responsibility.

 

So - when paypal goes YourSite > paypal checkout > yoursite, they are PCI compliant, in turn you're compliant.

If stripe does that, and redirects to their servers, then you're good. If you're sending CC details to stripe, then the burden is on you.

 

Hope that makes sense. That's my understanding of it.

Well this is not quite true,users can input their cc on your site while in same time CC data are not touching your server and for that you don't have to be PCI compliant because CC never touch your server....you only have to request token and sent it through https ..same is for inline hosted method.I went through trust wave PCI DSS verification process and it is not big deal to get it but it require some work .When it comes to tokinezation method ,stripe offer this approuch and also many other gateways but this method exclude storing CC...you can't charged on auto pilot since token is valid only 15-30 minutes depending on gateway.Also this method require you to follow some basic rules..you request token with simple JS snippet and than pass it to your form(this is for non hosted method) for hosted inline method you don't even do anything on your server since form is hosted on merchant gateway server.PCI compliant is required only if CC data is stored on your server in any form.Again when you implement these methods there is no way you can charge on auto pilot or store CC since it never touch your server and user has to go through checkout process evry time...Hope this help...you can conclude your self is gateway require PCI DSS by it's behaive...but I suggest going through this process anyway...you will need it at some point

[bdacus01]

On 9/22/2017 at 3:56 PM, Nelsa said:

you can't charged on auto pilot since token is valid only 15-30 minutes depending on gateway

Does Stripe Not support Subscription?  Seems it does https://stripe.com/subscriptions

Maybe you mean Blesta Payment Gateway doesn't support Subscription  which looks like it doesn't..  https://docs.blesta.com/display/user/Stripe

Paypal supports subscriptions. 

On 9/9/2017 at 9:37 AM, bdacus01 said:

Are any of the current merchant gateways PCI compliant? Without my server "being" compliant?

I am sort of asking about the Blesta Payment Gateways in general as well. 

 

On 9/22/2017 at 11:11 AM, River said:

Essentially, anything that requires users to type in their CC details on your site would require you to be PCI compliant.

Anything that redirects to the gateway, then back to your site when complete, and doesn't have any data on your server or entered on your site - it would be the gateway's responsibility.

 

So - when paypal goes YourSite > paypal checkout > yoursite, they are PCI compliant, in turn you're compliant.

If stripe does that, and redirects to their servers, then you're good. If you're sending CC details to stripe, then the burden is on you.

 

Hope that makes sense. That's my understanding of it.

In general this my general understanding..  What I am seeming to see is None of the Blesta Payment gateways outside of Paypal and maybe Square are PCI compliant EG fully tokenized.

So what payment gateways do you all use?  Have you all that use as example Stripe gone through PCI compliance testing? 

[Nelsa]

All Blesta merchant gateways require PCI DSS ,non merchant  gateways don't....it is very simple but stripe and also many other gateways offer tokenized method and hosted inline method where clients still input CC data without redirects but in same time CC are not stored on your server in any form at any time.....,when one of these two methods are implemented than you don't need PCI DSS...Now Blesta implement Stripe as Merchant Gateway and you can't compare it with non merchant gateways like paypal

I don't see why you would need Stripe subscriptions for gateway that can store CC and you can handle subscriptions by yourself in blesta(that is probably how they tought when desing gateways)...Well it has usecase...for example if you don't want to store CC and deal with PCI DSS.....:)

I use use custom payment gateway from my local bank(Unicredit), my bank provide credit card processing(virtual gateway+API and also physical POS terminals) for every company that has business/merchant account with them...,but I'm familiar with most payment processors.

[River]

On 9/22/2017 at 4:56 PM, Nelsa said:

Well this is not quite true,users can input their cc on your site while in same time CC data are not touching your server and for that you don't have to be PCI compliant because CC never touch your server....you only have to request token and sent it through https ..same is for inline hosted method.I went through trust wave PCI DSS verification process and it is not big deal to get it but it require some work .When it comes to tokinezation method ,stripe offer this approuch and also many other gateways but this method exclude storing CC...you can't charged on auto pilot since token is valid only 15-30 minutes depending on gateway.Also this method require you to follow some basic rules..you request token with simple JS snippet and than pass it to your form(this is for non hosted method) for hosted inline method you don't even do anything on your server since form is hosted on merchant gateway server.PCI compliant is required only if CC data is stored on your server in any form.Again when you implement these methods there is no way you can charge on auto pilot or store CC since it never touch your server and user has to go through checkout process evry time...Hope this help...you can conclude your self is gateway require PCI DSS by it's behaive...but I suggest going through this process anyway...you will need it at some point

 

If they're inputting it on your site, you still need to insure that the data is being transported in a secure manner. I always prefer to just let the gateways deal with the compliance as much as I can. Accepting the CC details on your site you need to make sure that they are getting transported and handled appropriately even if you're just passing them through.