My company wants to start a subscription based website and I'm implementing it with a payment gateway.
The problem is, this payment gateway doesn't give me any tools to encrypt the client's credit card information before it reaches our server.
So my question is, how should I handle this very sensitive information?
I don't plan on storing it or anything, just send it straight from the server to the payment gateway for validation.
Are we even allowed to handle plain text credit card information?
I know this is a very open subject, I just want to get directed for somewhere I can read and understand more about this issue.
You’ll almost certainly need pci compliance, and with the setup you’ve described, you’ll need the broadest scoped assessment. Not something you want to approach light heartedly.
If you already have industry standard security in place, then it shouldn’t be a big leap to PCI compliance, but most don’t have that. In general the approach to take is to reduce your scope, you could do this with a third party offering like an iframe or redirect, companies like Stripe offer solutions to do that. In that case you may be able to get away with SAQ A, otherwise you probably need SAQ D. This also depends on your volume, if they’re higher you’ll need a report on compliance (roc), which can be expensive and are needed annually.
You can have a chat with your merchant bank, since they are the ones generally requiring the compliance. They can be very helpful, presuming your service isn’t live.
Check out the pci council website, loads of info on there to get you started.