Quote:
|
Originally Posted by zorg
By taking PCI-DSS into effect in July 2010 VISA is giving merchants only 2 options:
1) configure their stores so that they wouldn't store, process or transmit cardholder data, by using web-based payment gateways.
or (if a merchant wants to be responsible for the safety of credit card data):
2) become PCI-DSS certified.
I do believe the first option, being many times easier and cheaper, should be considered by the most of merchants. That's a typical practice anyway.
By choosing the second option a merchant is obliged to comply with strict PCI-DSS standard requiring him to set up a quite complicated environment where cardholder data could be stored or processed safely (i.e. http://help.qtmsoft.com/index.php?title=File:Xpayments_dataflow.png), and then go through the certification process.
By delivering X-Payments, PA-DSS certified solution, we'll be happy to serve merchants who would select the second option. |
It seems like you don't understand whats really going on. Merchants are already required to comply with PCI-DSS and have been for years. What is changing in July is that VISA is requiring merchants to only use software purchased from a third party that the third party has had PA-DSS certified. Therefore, there are really 4 options come July for merchants:
1) Use a gateway hosted payment page so you don't store, process or transmit card numbers
2) Use a transparent redirect gateway API like NMI (Braintree and others) or USAePay. This allows you to host the payment page but when the customer submits the page the data goes direct to the gateway server instead of your server.
3) Convince your shopping cart vendor to get PA-DSS certification for their payment module that uses a payment page on your server that submits the data to your server where it is then sent to the gateway.
4) Write your own payment module to use a payment page on your server that submits the data to your server where it is then sent to the gateway. Or you can have someone else write it for you as a one-off module (it can't be something they sell to multiple clients).
If you choose 1) or 2) you get to fill out the simplest of PCI-DSS Self Assessment Questionnaires since you never handle card number yourself.
If you choose 3) or 4) the complex setup in your diagram is not required by PCI-DSS. A large company may want to do it that way to reduce the systems in scope for their PCI-DSS assessment. But for your typical X-Cart shop that is a PCI level 3 or 4 merchant there is really no gain in doing it that way. In fact, it just complicates their life and costs them more money. In either 3) or 4) the merchant will probably have to fill out SAQ C or D depending on whether or not they store card numbers. No other certification is required unless the merchant is large and falls into level 1 or 2, in which case they will need an outside certification of PCI-DSS compliance no matter how they handle payments.