Hey guys, I was just watching a video on Braintree Payment Solutions website. They said that your server enters PCI scope as soon as the credit card data passes through it. I did a little bit of reading in the PCI-DSS and it looks like they are right:
"PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply." I was under the mistaken impression that as long as you don't store the card numbers, you are compliant. This isn't the case. Even having the numbers pass through your server is enough to bring your server into PCI scope. Maybe everyone else already knows this, but it was a surprise to me. Moving forward, I wonder if we could , at the very least, document this. Right now using the auth.net, cybersource, protx or trustcommerce modules would put you under PCI scope. As I understand it, the size of the merchant affects whether you can self-assess or not, but it doesn't affect the requirements (including things like one function per server, no mixing mysql and apache). I know it isn't Satchmo's responsibility to handle this, but it'd be nice to help our users know what they are getting into. Also, there is definitely a possibility that I am completely confused. Braintree's PCI explanation (although they are trying to sell something): http://www.braintreepaymentsolutions.com/services/pci-compliance Alex Robbins 5Q Communications, Inc. http://www.5Qcommunications.com/ [email protected] 800-747-4214 ext 913 (p) http://www.ask5q.com/twitter/ -- You received this message because you are subscribed to the Google Groups "Satchmo users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/satchmo-users?hl=en.
