Collecting card data PCI level
![Multi tool use Multi tool use](http://sgv.ssvwv.com/sg/ssvwvcomimagb.png)
Multi tool use
We want to integrate a 3rd party service, regarding payments, their API waiting PAN & expiration date, and we need to determinate what PCI level do we need?
So, we just collect this data on client, send them to our server which will send data to them, we do not store it in database.
pci-compliance pci-dss
add a comment |
We want to integrate a 3rd party service, regarding payments, their API waiting PAN & expiration date, and we need to determinate what PCI level do we need?
So, we just collect this data on client, send them to our server which will send data to them, we do not store it in database.
pci-compliance pci-dss
add a comment |
We want to integrate a 3rd party service, regarding payments, their API waiting PAN & expiration date, and we need to determinate what PCI level do we need?
So, we just collect this data on client, send them to our server which will send data to them, we do not store it in database.
pci-compliance pci-dss
We want to integrate a 3rd party service, regarding payments, their API waiting PAN & expiration date, and we need to determinate what PCI level do we need?
So, we just collect this data on client, send them to our server which will send data to them, we do not store it in database.
pci-compliance pci-dss
pci-compliance pci-dss
asked Jan 2 at 12:18
jahozajahoza
144
144
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.
To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.
More information can be found in the official summary document
Thanks, but in case we will need to store that data, what level we will need?
– jahoza
Jan 4 at 9:46
@jahoza if you’re storing it, SAQ-D.
– Bobson
Jan 4 at 12:24
Do you mean SAQ-D service provider?
– jahoza
Jan 4 at 12:58
@jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.
– Bobson
Jan 4 at 13:00
Yes, we just collect card data and send them to our processor.
– jahoza
Jan 4 at 13:07
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54006256%2fcollecting-card-data-pci-level%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.
To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.
More information can be found in the official summary document
Thanks, but in case we will need to store that data, what level we will need?
– jahoza
Jan 4 at 9:46
@jahoza if you’re storing it, SAQ-D.
– Bobson
Jan 4 at 12:24
Do you mean SAQ-D service provider?
– jahoza
Jan 4 at 12:58
@jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.
– Bobson
Jan 4 at 13:00
Yes, we just collect card data and send them to our processor.
– jahoza
Jan 4 at 13:07
add a comment |
If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.
To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.
More information can be found in the official summary document
Thanks, but in case we will need to store that data, what level we will need?
– jahoza
Jan 4 at 9:46
@jahoza if you’re storing it, SAQ-D.
– Bobson
Jan 4 at 12:24
Do you mean SAQ-D service provider?
– jahoza
Jan 4 at 12:58
@jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.
– Bobson
Jan 4 at 13:00
Yes, we just collect card data and send them to our processor.
– jahoza
Jan 4 at 13:07
add a comment |
If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.
To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.
More information can be found in the official summary document
If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.
To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.
More information can be found in the official summary document
edited Jan 4 at 12:39
answered Jan 3 at 1:41
![](https://i.stack.imgur.com/EXBsJ.png?s=32&g=1)
![](https://i.stack.imgur.com/EXBsJ.png?s=32&g=1)
BobsonBobson
10.5k33669
10.5k33669
Thanks, but in case we will need to store that data, what level we will need?
– jahoza
Jan 4 at 9:46
@jahoza if you’re storing it, SAQ-D.
– Bobson
Jan 4 at 12:24
Do you mean SAQ-D service provider?
– jahoza
Jan 4 at 12:58
@jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.
– Bobson
Jan 4 at 13:00
Yes, we just collect card data and send them to our processor.
– jahoza
Jan 4 at 13:07
add a comment |
Thanks, but in case we will need to store that data, what level we will need?
– jahoza
Jan 4 at 9:46
@jahoza if you’re storing it, SAQ-D.
– Bobson
Jan 4 at 12:24
Do you mean SAQ-D service provider?
– jahoza
Jan 4 at 12:58
@jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.
– Bobson
Jan 4 at 13:00
Yes, we just collect card data and send them to our processor.
– jahoza
Jan 4 at 13:07
Thanks, but in case we will need to store that data, what level we will need?
– jahoza
Jan 4 at 9:46
Thanks, but in case we will need to store that data, what level we will need?
– jahoza
Jan 4 at 9:46
@jahoza if you’re storing it, SAQ-D.
– Bobson
Jan 4 at 12:24
@jahoza if you’re storing it, SAQ-D.
– Bobson
Jan 4 at 12:24
Do you mean SAQ-D service provider?
– jahoza
Jan 4 at 12:58
Do you mean SAQ-D service provider?
– jahoza
Jan 4 at 12:58
@jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.
– Bobson
Jan 4 at 13:00
@jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.
– Bobson
Jan 4 at 13:00
Yes, we just collect card data and send them to our processor.
– jahoza
Jan 4 at 13:07
Yes, we just collect card data and send them to our processor.
– jahoza
Jan 4 at 13:07
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54006256%2fcollecting-card-data-pci-level%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
OJc,yJyX,dz bJEygGGk,MK oeArsqGn TR,Blh,G MpVbeTd9ogu3nambeTGqh6 gEuFJ