Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
primer:security [2015/05/11 19:37] – [Summary: What to do if you're being told you need to be compliant] adam | primer:security [2017/01/05 17:35] – [Summary: What to do if you're being told you need to be compliant] foxybrett | ||
---|---|---|---|
Line 26: | Line 26: | ||
==== What Are Your Compliance Requirements? | ==== What Are Your Compliance Requirements? | ||
- | Though we cannot tell you with certainty what your compliance requirements may be, we can offer a set of guidelines that may help you discern when you do actually need to pay for a service to become compliant (and conversely, when you're being sold misinformation or FUD). This is not an exhaustive list of scenarios, and [[http:// | + | Though we cannot tell you with certainty what your compliance requirements may be, we can offer a set of guidelines that may help you discern when you do actually need to pay for a service to become compliant (and conversely, when you're being sold misinformation or FUD). |
<wrap tip>If you're being told by your merchant account provider or gateway that you need to pay a fee</ | <wrap tip>If you're being told by your merchant account provider or gateway that you need to pay a fee</ | ||
- | ^ SAQ Required | + | ^ SAQ_Level |
| None | No | < | | None | No | < | ||
- | * Payments are //only// handled on a 3rd party system such as through PayPal Express Checkout through FoxyCart | + | * Payments are //only// handled on a 3rd party system such as through PayPal Express Checkout |
</ | </ | ||
| SAQ A | No | < | | SAQ A | No | < | ||
- | * Payments are handled through your store' | + | * Payments are **fully outsourced** |
* Payment card details are never handled on the phone or using FoxyCart' | * Payment card details are never handled on the phone or using FoxyCart' | ||
+ | * No cardholder data transmission, | ||
* No cardholder data storage, ever. (ie. You never store card numbers, anywhere, ever, at all.) | * No cardholder data storage, ever. (ie. You never store card numbers, anywhere, ever, at all.) | ||
* <wrap tip>No fees</ | * <wrap tip>No fees</ | ||
</ | </ | ||
- | | SAQ B | No | < | + | | SAQ A-EP | No | < |
- | * Payments are handled through standalone terminals or are swiped using a machine. | + | * Payments are **partially outsourced**. This gets a little technical, but this applies if you're doing a direct post or javascript-based |
- | | + | * <wrap tip>Fees</ |
- | * <wrap tip>No fees</ | + | |
- | </ | + | |
- | | SAQ C | Yes... | < | + | |
- | * The SAQ C isn't really intended to be used for e-commerce, but rather | + | |
- | * Payments are entered with a payment system connected to the internet. Systems used to access the virtual terminal may need to be scanned by an ASV. | + | |
- | * No cardholder data storage, ever. (ie. You never store card numbers, anywhere, ever, at all.) | + | |
</ | </ | ||
- | | SAQ C-VT | No... | < | + | | SAQ B \\ SAQ B-IP \\ SAQ C \\ SAQ C-VT | No | < |
- | * This is new as of PCI DSS 2.0, but it explicitly states " | + | * These SAQs aren' |
- | * Payments are entered into a web browser-based virtual terminal, | + | * Payments are handled through standalone terminals, are swiped using a dedicated machine, processed manually on an internet-connected |
</ | </ | ||
| SAQ D | Yes, on applicable systems | < | | SAQ D | Yes, on applicable systems | < | ||
* If you don't fit under the above SAQs, SAQ D is what you fall under. | * If you don't fit under the above SAQs, SAQ D is what you fall under. | ||
* Cardholder data is transmitted or stored on systems you control, regardless of the payment methods. Systems that transmit or store cardholder data will need to be fully PCI compliant and scanned by an ASV. | * Cardholder data is transmitted or stored on systems you control, regardless of the payment methods. Systems that transmit or store cardholder data will need to be fully PCI compliant and scanned by an ASV. | ||
- | * If you have servers or hosting that touches credit cards at all (even if it's just a POST to your website that then sends it to the gateway), you fall under the SAQ D. | + | * If you have servers or hosting that touches credit cards at all (//even if it's just a POST to your website that then sends it to the gateway//), you fall under the SAQ D. Just because you don't store card numbers doesn' |
* This is full PCI DSS compliance, 200+ requirements, | * This is full PCI DSS compliance, 200+ requirements, | ||
</ | </ | ||
- | Additionally, | + | Additionally, |
- | <wrap tip>If you can limit your exposure to PCI DSS, we recommend it.</ | + | <wrap tip>If you can limit your exposure to PCI DSS, we recommend it.</ |
==== Becoming PCI Compliant ==== | ==== Becoming PCI Compliant ==== | ||
Line 86: | Line 81: | ||
We've outsourced our card handling to FoxyCart, which is a Level 1 PCI Compliant Service Provider listed on both Visa and MasterCard' | We've outsourced our card handling to FoxyCart, which is a Level 1 PCI Compliant Service Provider listed on both Visa and MasterCard' | ||
- | http://static.www.foxycart.com/FoxyCart_Attestation_of_PCI_Compliance.20150406.pdf | + | https://wiki.foxycart.com/ |
+ | http://www.visa.com/splisting/ | ||
+ | http://www.mastercard.com/ | ||
Do you still require that we provide proof of our own compliance? If so, do you have your own tool that we should use, or will providing the SAQ A be sufficient?</ | Do you still require that we provide proof of our own compliance? If so, do you have your own tool that we should use, or will providing the SAQ A be sufficient?</ | ||
- | - If they respond that they have their own tool, you should be able to fill that out. Otherwise, complete and send to them the PCI SAQ A, [[https:// | + | - If they respond that they have their own tool, you should be able to fill that out. Otherwise, complete and send to them the PCI SAQ A. (Get the latest version from [[https:// |
- | - If they respond that you must be compliant at a higher level (SAQ-C or SAQ-D), or that they need proof of a passing security scan, or something else, please let us know. | + | - If they respond that you must be compliant at a higher level, or that they need proof of a passing security scan, or something else, please let us know. |
===== One of my customers reported their card was stolen! ===== | ===== One of my customers reported their card was stolen! ===== | ||