Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CC number visible to samplestore #21

Open
jrief opened this issue Sep 10, 2012 · 1 comment
Open

CC number visible to samplestore #21

jrief opened this issue Sep 10, 2012 · 1 comment

Comments

@jrief
Copy link

jrief commented Sep 10, 2012

When using "Make direct payment" the credit card number is sent via POST request to the customers server. This means that your customer needs a PCI DSS certification. I can't imagine that this is the intended usage for this module.
@zen4ever
Copy link
Owner

django-authorizenet implements three types of Authorize .NET APIs:
SIM, AIM, CIM

When you are using SIM and CIM APIs, CC data is stored on Authorize.NET servers, which are PCI DSS compliant.

Regarding AIM, yes, you have to be PCI DSS compliant, because it involves transmission of credit card data:
http://www.authorize.net/support/merchant/Integration_Settings/Advanced_Integration_Method_(AIM)_Settings.htm
"Please keep in mind that AIM involves the collection, transmission, and storage of cardholder data on your Web server.
Because of this, compliance with the PCI Data Security Standard is required by the Card Associations."

PCI DSS compliance have different levels:

If you don't want to worry (much) about PCI DSS compliance, you should use SIM or Hosted CIM APIs, this way your web server never touches CC data.
(Though, I believe you still need to complete Self-Assessment Questionnaire A)

If you don't store any CC data (AIM, CIM), and just "transmit" it you need to complete Self-Assessment Questionnaire C.

All SAQ can be found here:
https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

When you are a small business your PCI DSS compliance is checked by the bank with whom you have your merchant account,
so you don't have to pay big bucks for formal PCI Certification (at least that was my experience with some of my clients).
You should double check with your bank, what are their requirements for you to allow you accept credit card payments on your site.

Here you can read more about PCI DSS compliance:
https://www.pcisecuritystandards.org/security_standards/
http://www.sysnetglobalsolutions.com/en/PCI_DSS/PCI_DSS_FAQs.aspx
http://www.mijireh.com/docs/what-you-need-to-know-about-pci-compliance/

On Sep 10, 2012, at 2:25 PM, jrief [email protected] wrote:

When using "Make direct payment" the credit card number is sent via POST request to the customers server. This means that your customer needs a PCI DSS certification. I can't imagine that this is the intended usage for this module.


Reply to this email directly or view it on GitHub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zen4ever @jrief