Open jrief opened 12 years ago
django-authorizenet implements three types of Authorize .NET APIs: SIM, AIM, CIM
When you are using SIM and CIM APIs, CC data is stored on Authorize.NET servers, which are PCI DSS compliant.
Regarding AIM, yes, you have to be PCI DSS compliant, because it involves transmission of credit card data: http://www.authorize.net/support/merchant/Integration_Settings/Advanced_Integration_Method_(AIM)_Settings.htm "Please keep in mind that AIM involves the collection, transmission, and storage of cardholder data on your Web server. Because of this, compliance with the PCI Data Security Standard is required by the Card Associations."
PCI DSS compliance have different levels:
If you don't want to worry (much) about PCI DSS compliance, you should use SIM or Hosted CIM APIs, this way your web server never touches CC data. (Though, I believe you still need to complete Self-Assessment Questionnaire A)
If you don't store any CC data (AIM, CIM), and just "transmit" it you need to complete Self-Assessment Questionnaire C.
All SAQ can be found here: https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs
When you are a small business your PCI DSS compliance is checked by the bank with whom you have your merchant account, so you don't have to pay big bucks for formal PCI Certification (at least that was my experience with some of my clients). You should double check with your bank, what are their requirements for you to allow you accept credit card payments on your site.
Here you can read more about PCI DSS compliance: https://www.pcisecuritystandards.org/security_standards/ http://www.sysnetglobalsolutions.com/en/PCI_DSS/PCI_DSS_FAQs.aspx http://www.mijireh.com/docs/what-you-need-to-know-about-pci-compliance/
On Sep 10, 2012, at 2:25 PM, jrief notifications@github.com wrote:
When using "Make direct payment" the credit card number is sent via POST request to the customers server. This means that your customer needs a PCI DSS certification. I can't imagine that this is the intended usage for this module.
— Reply to this email directly or view it on GitHub.
When using "Make direct payment" the credit card number is sent via POST request to the customers server. This means that your customer needs a PCI DSS certification. I can't imagine that this is the intended usage for this module.