We're going to use some payment service that has a secure link where the payment form data will be posted (e.g. https://some-payment-gateway/securelink/sslpmt) Our form will contain all the required fields for the payment to be done: 1. Customer Info 2. Billing Info 3. Credit Card Info Should our form be hosted on the secure site as well? As we understand, even if our site is unsecure, e.g.: http://our-site/orderform.html If it contains the:
<form method="post" action="https://some-payment-gateway/securelink/sslpmt"> ... </form>
The form fields will be transmitted through secure connection and no data is compromised. Are we true or false?
False I'm afraid.
If you host a page that accepts card details then that page, the machine its running on and the network the machine is attached to must be PCI compliant. (What if someone compromised orderform.html and redirected the collected details elsewhere)
If you look there is a good chance that your some-payment-gateway Inc offers the ability to redirect users to pages they host themseleves in order to collect card details - This is almost always the sensible choice as it removes the bulk of compliancy obligations from you.
Re Braintree API I googled them and saw:
"Our Transparent Redirect API completely eliminates the handling and processing of credit card data from your environment ... Transparent Redirect is not a hosted page solution; it's entirely transparent to the end user"
Which seems a bit paradoxical, it does seems as though they do expect you to collect card details on your site - so you need to be compliant, which they confirm here.
Its jolly nice of them to have a "Download the pre-filled SAQ A version 2.0 and verify it is consistent with business practices." link & a QSA recommendation which you can take advantage of - but I would point out that signing off on the SAQ document is legally binding, just like any contract; if your system is breached and there is fraud, it can cost you an awful lot.