|
|
|
|
|
|
by kjs3
3935 days ago
|
|
|
Most organizations utilize third parties to handle credit card info so they don't have to be PCI compliant. That's not true. If you enable payment by credit card at all, you're subject to PCI. Even a SAQ A[1] category merchant (payment page entirely hosted and managed by a PCI-compliant, third-party payment processor) are required to formally confirm that their processor is currently PCI compliance, have written rules of engagement with the processor and obey the PCI data handling and retention requirements. And if you embed your payment page in your own page (technically, if any part of the payment page is served from your site and not the processors site) then you're a SAQ-AP merchant[2], and you'll be expected to conform to a lot more of the standard. [1] https://www.pcisecuritystandards.org/documents/Understanding...
[2] https://www.clerkendweller.uk/2014/3/7/PCIDSS-SAQ-AEP-and-SA... |
|
|