Search code examples
credit-cardpci-dss

Minimizing PCI compliance when my checkout flow has a confirmation page

I have a shopping cart flow like this:

  • Page 1. Choose Products
  • Page 2. Enter address, shipping, credit card details on a single page checkout.
  • Page 3. User confirms the order - but we want a final opportunity to upsell, so we must be able to change the amount charged. If the user abandons this page they should not be charged OR authorized anything, but we must be able to call them and convince them to order without having to ask for their number again.

  • Page 4. Receipt page

  • Repeat billing is a requirement for later, with variable amounts and schedules. (The user must be able to come back and change their schedule without entering CC number again).

Here's what I dont want to do :

  • Send the user to a third party page (because I want a single page checkout and retain branding)
  • Minimize PCI compliance requirements
  • Authorize payments and cancel them if the user doesn't confirm. This is asking for trouble on many levels!

Since I need a confirmation page I think I will need to use some kind of tokenization system such as offered by braintreepayments. You basically store the credit card number on their service and they give you back a token that represents that number. You can then make a charge against that card at any time for any amount. This certainly seems the most flexible solution.

I'm kind of going round in circles trying to figure out if this is the best solution or not :

  • I don't know if BrainTree is the only company that offers such a service, but I'm also not convinced its really necessary.
  • If I temporarily store the CC in session until the user confirms it I can still use pretty much any payment gateway. Therefore the question becomes 'does it matter if I store the CC in memory temporarily' and to what degree.

The 'purest' safest approach seems to be to redirect to braintree (or someone else that offers a similar gateway).

Edit (after assigning bounty):

I've concluded that I absolutely have to have a system where we only need to meet level A for PCI. Been studying PCI in more detail and these questionnaires are the relevant ones for card-not-present merchants (i.e. e-commerce).

SAQ A : (when CC numbers don't even touch our server). You still have to fill out this questionnaire if you're selling online, but it is pretty easy.

SAQ D : (where CC numbers touch our server EVEN IF WE DONT STORE THEM)

Take a look at these questionnaires reveals a huge delta between requirements. The PCI requirments are often misrepresented as being a simple list such as 'maintain a firewall', 'security policy', 'limit physical access' - but if you actually read questionnaire D you'll see it has order of magnitute more questions and requirments. For instance you have to answer whether or not your server is protected by a video camera, and what kind of data encryption you have on your server.

I'd really appreciate knowing what actual products or providers out there that will facilitate me doing what I want to do. If there really is only 1 or 2 companies out there that let me do this then I need to know.

I've got no relationship to Braintree except I've managed to get on their email marketing list. They're just the only company I've managed to find that does this. If you are running another company doing the same then by all means blow your own trumpet. PCI requirements are only going to become more stringent over time and anyone who has got this far reading my question probably already realizes that.

Solution

  • Here's the general rule of thumb: If you don't read, store, or process the PAN (CC#) and/or exp date, then you don't need PCI Compliance. If you even remotely touch that card number, then you need to undergo PCI Compliance.

    Why not just make it easy and do PayPal ?