Collecting card data PCI level

Multi tool use
Multi tool use












-1















We want to integrate a 3rd party service, regarding payments, their API waiting PAN & expiration date, and we need to determinate what PCI level do we need?



So, we just collect this data on client, send them to our server which will send data to them, we do not store it in database.










share|improve this question



























    -1















    We want to integrate a 3rd party service, regarding payments, their API waiting PAN & expiration date, and we need to determinate what PCI level do we need?



    So, we just collect this data on client, send them to our server which will send data to them, we do not store it in database.










    share|improve this question

























      -1












      -1








      -1








      We want to integrate a 3rd party service, regarding payments, their API waiting PAN & expiration date, and we need to determinate what PCI level do we need?



      So, we just collect this data on client, send them to our server which will send data to them, we do not store it in database.










      share|improve this question














      We want to integrate a 3rd party service, regarding payments, their API waiting PAN & expiration date, and we need to determinate what PCI level do we need?



      So, we just collect this data on client, send them to our server which will send data to them, we do not store it in database.







      pci-compliance pci-dss






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 2 at 12:18









      jahozajahoza

      144




      144
























          1 Answer
          1






          active

          oldest

          votes


















          0














          If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.



          To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.



          More information can be found in the official summary document






          share|improve this answer


























          • Thanks, but in case we will need to store that data, what level we will need?

            – jahoza
            Jan 4 at 9:46











          • @jahoza if you’re storing it, SAQ-D.

            – Bobson
            Jan 4 at 12:24











          • Do you mean SAQ-D service provider?

            – jahoza
            Jan 4 at 12:58











          • @jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.

            – Bobson
            Jan 4 at 13:00











          • Yes, we just collect card data and send them to our processor.

            – jahoza
            Jan 4 at 13:07











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54006256%2fcollecting-card-data-pci-level%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.



          To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.



          More information can be found in the official summary document






          share|improve this answer


























          • Thanks, but in case we will need to store that data, what level we will need?

            – jahoza
            Jan 4 at 9:46











          • @jahoza if you’re storing it, SAQ-D.

            – Bobson
            Jan 4 at 12:24











          • Do you mean SAQ-D service provider?

            – jahoza
            Jan 4 at 12:58











          • @jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.

            – Bobson
            Jan 4 at 13:00











          • Yes, we just collect card data and send them to our processor.

            – jahoza
            Jan 4 at 13:07
















          0














          If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.



          To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.



          More information can be found in the official summary document






          share|improve this answer


























          • Thanks, but in case we will need to store that data, what level we will need?

            – jahoza
            Jan 4 at 9:46











          • @jahoza if you’re storing it, SAQ-D.

            – Bobson
            Jan 4 at 12:24











          • Do you mean SAQ-D service provider?

            – jahoza
            Jan 4 at 12:58











          • @jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.

            – Bobson
            Jan 4 at 13:00











          • Yes, we just collect card data and send them to our processor.

            – jahoza
            Jan 4 at 13:07














          0












          0








          0







          If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.



          To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.



          More information can be found in the official summary document






          share|improve this answer















          If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.



          To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.



          More information can be found in the official summary document







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jan 4 at 12:39

























          answered Jan 3 at 1:41









          BobsonBobson

          10.5k33669




          10.5k33669













          • Thanks, but in case we will need to store that data, what level we will need?

            – jahoza
            Jan 4 at 9:46











          • @jahoza if you’re storing it, SAQ-D.

            – Bobson
            Jan 4 at 12:24











          • Do you mean SAQ-D service provider?

            – jahoza
            Jan 4 at 12:58











          • @jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.

            – Bobson
            Jan 4 at 13:00











          • Yes, we just collect card data and send them to our processor.

            – jahoza
            Jan 4 at 13:07



















          • Thanks, but in case we will need to store that data, what level we will need?

            – jahoza
            Jan 4 at 9:46











          • @jahoza if you’re storing it, SAQ-D.

            – Bobson
            Jan 4 at 12:24











          • Do you mean SAQ-D service provider?

            – jahoza
            Jan 4 at 12:58











          • @jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.

            – Bobson
            Jan 4 at 13:00











          • Yes, we just collect card data and send them to our processor.

            – jahoza
            Jan 4 at 13:07

















          Thanks, but in case we will need to store that data, what level we will need?

          – jahoza
          Jan 4 at 9:46





          Thanks, but in case we will need to store that data, what level we will need?

          – jahoza
          Jan 4 at 9:46













          @jahoza if you’re storing it, SAQ-D.

          – Bobson
          Jan 4 at 12:24





          @jahoza if you’re storing it, SAQ-D.

          – Bobson
          Jan 4 at 12:24













          Do you mean SAQ-D service provider?

          – jahoza
          Jan 4 at 12:58





          Do you mean SAQ-D service provider?

          – jahoza
          Jan 4 at 12:58













          @jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.

          – Bobson
          Jan 4 at 13:00





          @jahoza No, SAQ-D Merchant (unless you're providing credit card processing services to someone else). I've added a link to the answer for more information.

          – Bobson
          Jan 4 at 13:00













          Yes, we just collect card data and send them to our processor.

          – jahoza
          Jan 4 at 13:07





          Yes, we just collect card data and send them to our processor.

          – jahoza
          Jan 4 at 13:07




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54006256%2fcollecting-card-data-pci-level%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          OJc,yJyX,dz bJEygGGk,MK oeArsqGn TR,Blh,G MpVbeTd9ogu3nambeTGqh6 gEuFJ
          5iYAd,whB Sw47 c8f w

          Popular posts from this blog

          Monofisismo

          Angular Downloading a file using contenturl with Basic Authentication

          Olmecas