PCI 合规性 - 透明重定向场景中是否需要 SSL?

发布于 2024-11-05 17:56:09 字数 498 浏览 4 评论 0原文

我们将使用一些具有安全链接的付款服务,其中将发布付款表单数据(例如 https ://some- payment-gateway/securelink/sslpmt) 我们的表格将包含付款所需的所有字段: 1. 客户信息 2. 账单信息 3. 信用卡信息 我们的表单也应该托管在安全网站上吗? 据我们了解,即使我们的网站不安全,例如: http://our-site/orderform.html 如果它包含:

...

表单字段将通过安全连接传输,不会泄露任何数据。 我们是真还是假?

We're going to use some payment service that has a secure link where the payment form data will be posted (e.g. https://some-payment-gateway/securelink/sslpmt)
Our form will contain all the required fields for the payment to be done:
1. Customer Info
2. Billing Info
3. Credit Card Info
Should our form be hosted on the secure site as well?
As we understand, even if our site is unsecure, e.g.:
http://our-site/orderform.html
If it contains the:

<form method="post" action="https://some-payment-gateway/securelink/sslpmt">
...
</form>

The form fields will be transmitted through secure connection and no data is compromised.
Are we true or false?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

爱你不解释 2024-11-12 17:56:09

恐怕是假的。

如果您托管接受卡详细信息的页面,则该页面、运行该页面的计算机以及该计算机所连接的网络必须符合 PCI 标准。 (如果有人泄露了 orderform.html 并将收集到的详细信息重定向到其他地方怎么办)

如果您发现您的 some- payment-gateway Inc 很可能能够将用户重定向到他们自己托管的页面命令收集卡详细信息 - 这几乎总是明智的选择,因为它消除了您的大部分合规义务。

Re Braintree API
我用谷歌搜索他们并看到:

“我们的透明重定向 API
完全消除了处理和
处理信用卡数据
您的环境...透明
重定向不是托管页面
解决方案;它是完全透明的
最终用户”

这似乎有点矛盾,他们似乎确实希望您在网站上收集银行卡详细信息 - 因此您需要遵守规定,他们确认了此处

下载预先填写的 SAQ A 版本 2.0 并验证其与业务实践是否一致,这真是太好了。 ”链接和您可以利用的 QSA 建议 - 但我想指出的是,签署 SAQ 文件具有法律约束力,就像任何合同一样;如果您的系统遭到破坏并且存在欺诈行为,那么 SAQ 文件的签署具有法律约束力。可能会花费你很多钱。

False I'm afraid.

If you host a page that accepts card details then that page, the machine its running on and the network the machine is attached to must be PCI compliant. (What if someone compromised orderform.html and redirected the collected details elsewhere)

If you look there is a good chance that your some-payment-gateway Inc offers the ability to redirect users to pages they host themseleves in order to collect card details - This is almost always the sensible choice as it removes the bulk of compliancy obligations from you.

Re Braintree API
I googled them and saw:

"Our Transparent Redirect API
completely eliminates the handling and
processing of credit card data from
your environment ... Transparent
Redirect is not a hosted page
solution; it's entirely transparent to
the end user"

Which seems a bit paradoxical, it does seems as though they do expect you to collect card details on your site - so you need to be compliant, which they confirm here.

Its jolly nice of them to have a "Download the pre-filled SAQ A version 2.0 and verify it is consistent with business practices." link & a QSA recommendation which you can take advantage of - but I would point out that signing off on the SAQ document is legally binding, just like any contract; if your system is breached and there is fraud, it can cost you an awful lot.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文