SagePay/PayPal PCI DSS

[hardwareguy]

Hello

I have a website where I use SagePay and PayPal as payment options.

Obviously I never see the customer's card data etc.

Do I still need to be PCI DSS scanned?

It's a very confusing area.

Thanks

 

[dingbat]

All that matter is if the customer makes the credit card transaction on the website. That requires PCI compliance. Is your integration Form, server or direct?

 

[wayzgoose]

All that matter is if the customer makes the credit card transaction on the website. That requires PCI compliance. Is your integration Form, server or direct?

That's not quite correct. We used Sagepay to process credit cards offsite but we still had to pay for the annual PCI compliance check. It's just a lot more expensive and involved if you process onsite.

 

[LMDServicesUK]

Any Organisation that operates a Merchant account has to become PCI-DSS Compliant irrespective of HOW the payments are processed.

The scanning element then forms part of the Compliance certification, but again the level will be dependent on your PCI classification.

The type of processing will dictate the PCI classification, that you have to register under, and the management fees are billed either monthly or PA depending on your provider.

If you do not register the fines can reach £ 50 PCM for non compliance.

Hope this helps

Mark

 

[tictac]

Yes, there are many levels of PCI compliance and the level you need to comply with depends on how you are operating.

 

[RepricerExpress]

I read on the Stripe website that if you used them they handled all the PCI compliance so you didn't have to worry about it. Is this correct?

 

[Nochexman]

I read on the Stripe website that if you used them they handled all the PCI compliance so you didn't have to worry about it. Is this correct?

I think what Strip say is "Anyone accepting credit card payments must be PCI compliant", so you must still be compliant!

 

[japancool]

I think what Strip say is "Anyone accepting credit card payments must be PCI compliant", so you must still be compliant!

It's a bit unclear on their website. There is some text that says:
"By using any of Stripe’s client libraries, such as Stripe.js for the web or the mobile APIs, you’re automatically compliant with the strictest PCI requirements."

That sort of suggests that you don't have to do anything further to be compliant if you're using them.

 

[LMDServicesUK]

It's a bit unclear on their website. There is some text that says:
"By using any of Stripe’s client libraries, such as Stripe.js for the web or the mobile APIs, you’re automatically compliant with the strictest PCI requirements."

That sort of suggests that you don't have to do anything further to be compliant if you're using them.

However you still need to be directly PCI compliant in the UK as you are potentially seeing or acting on card holder data every time you access the management system that holds the payment information on your behalf.

The Merchant is signing up to a Code of Practice that anyone taking payment by cards has to register for. The difference being that you are signing up at a lower Tier (e.g. level 4) as opposed to Stripe who have to conform to the Level 1 requirement.

 

[Pish_Pash]

I read on the Stripe website that if you used them they handled all the PCI compliance so you didn't have to worry about it. Is this correct?

Which is why I''ve just started using Stripe....I can't be done with PCI compliance melarkey (which it seems is just another wheeze of squeezing that little bit more out of the small website owner).

 

[japancool]

However you still need to be directly PCI compliant in the UK as you are potentially seeing or acting on card holder data every time you access the management system that holds the payment information on your behalf.

The Merchant is signing up to a Code of Practice that anyone taking payment by cards has to register for. The difference being that you are signing up at a lower Tier (e.g. level 4) as opposed to Stripe who have to conform to the Level 1 requirement.

I'm not using Stripe myself but I think it would be really helpful for them to make people aware of this on their website. There are at least a couple of UKBF members who are planning on using Stripe but don't seem to be aware of this, and that leaves them open to potentially hefty fines.