PCI Compliance/Certification

anakadote

I build quite a few e-commerce websites with custom shopping carts. I never store sensitive data in the database and always send it using SSL to the payment gateway. The gateways I've used have never required PCI certification and I've always thought that it wasn't required since the data is never stored. I think now, however, that because credit card data is entered into the website the merchant (my clients) must fill out and submit a Self-Assessment Questionnaire C (SAQ C). This is fine, except some of the requirements aren't very clear. Does anyone know of a resource that is easy to follow and understand in regard to PCI compliance and SAQ C?

dagon

you only have to fill it in if requested by the payment gateway, and i have yet to encounter one that requires it, but most will provide documentation on what they require. Whats not clear in the SAQ C, i filled one out the other day for a clients insurance company.

reli4nt

PCI compliance is when you store credit card details and not a small set of requirements to fulfill. Just be careful if you use ecommerce packages like oscommerce because some store full credit cards details by default.

anakadote

If at any point your web application touches credit card information then you need to be PCI compliant, even if you're not storing it. Since I don't store info but rather just transmit it then I believe SAQ C is the form that my clients need to complete. The Attestation of Compliance is simple enough, however, the actual SAQ has questions that seem to apply when cardholder data is being stored. For instance, Question 1 asks about a firewall configuration. Question 5 asks about anti-virus software. Who do these apply/refer to? The hosting server? Even though that the cardholder isn't being stored? The OS in Unix-based and can't get viruses and the server has a built-in firewall. My experience on the server/hardware level isn't as strong as programming so maybe I'm missing something obvious, I don't know.

dagon

If the upstream provider of the credit card services does not require it then there's noting for you to do. Your contract is with them.

anakadote

With the particular gateway that I'm using for this project, they are requiring us to complete SAQ C. I'm just not sure how to answer the questions I mentioned above because they appear to be 1) more at the server/host level and 2) for applications that store cardholder data.

reli4nt

Dagon is correct: Looking over the specs I can see that refraining from storing cc numbers, https connections, etc. are part of PCI compliance so the bulk of compliance is out of the retailers hands in most cases but as a transmitter of cc data there are a few common things the website owner is still responsible for.

dagon

anakadote;10966912 wrote:
With the particular gateway that I'm using for this project, they are requiring us to complete SAQ C. I'm just not sure how to answer the questions I mentioned above because they appear to be 1) more at the server/host level and 2) for applications that store cardholder data.

post a link to the one your filling out, there seem to be several options on the pci site. You could always answer Not Applicable to the ones that don't apply to you.