第三方处理银行卡详细信息时的电子商务合规性
当卡详细信息由 Paypal 等第三方处理时,哪些形式的电子商务合规性(例如 PCI-DSS)适用?
我正在构建一个使用 Paypal Express 的定制购物车系统,因此卡的详细信息永远不会到达我的服务器。不过,我确实保留了客户详细信息,那么我必须或应该遵守哪些合规性(在代码和硬件级别)?
What forms of e-commerce compliance such as PCI-DSS apply when the card details are processed by a third party such as Paypal?
Am building a bespoke shopping cart system that uses Paypal Express, so the card details never hit my server. I do however retain customer details so what compliance - both at a code and hardware level - must or should I be adhering to?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
根据 PCI DSS,仅当客户详细信息与 PAN(又名信用卡号)一起存储时,您才需要对其进行加密。由于您不存储或处理 PAN,因此您不需要执行任何额外操作。
请参阅 PCI DSS 第 5 页:
https://www.pcisecuritystandards.org/security_standards/pci_dss_download。 html
According to the PCI DSS, you only need to encrypt customer details if they are stored along with the PAN (aka credit card number). Since you aren't storing or transacting the PAN, there should be nothing extra you need to do.
See page 5 on the PCI DSS:
https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
如果信用卡数据从未实际到达您的服务器(包括由于表单发布而导致的 RAM),则 PCI-DSS 不适用。将您的信用卡处理外包给合规的第三方是迄今为止使您自己合规的最简单方法。
If credit card data never physically hits your server (including RAM due to a form post) then PCI-DSS does not apply. Outsourcing your credit card handling to a compliant third party is by far the easiest way to be compliant yourself.