PCI 合规性 - 透明重定向场景中是否需要 SSL?
我们将使用一些具有安全链接的付款服务,其中将发布付款表单数据(例如 https ://some- payment-gateway/securelink/sslpmt) 我们的表格将包含付款所需的所有字段: 1. 客户信息 2. 账单信息 3. 信用卡信息 我们的表单也应该托管在安全网站上吗? 据我们了解,即使我们的网站不安全,例如: http://our-site/orderform.html 如果它包含:
表单字段将通过安全连接传输,不会泄露任何数据。 我们是真还是假?
We're going to use some payment service that has a secure link where the payment form data will be posted (e.g. https://some-payment-gateway/securelink/sslpmt)
Our form will contain all the required fields for the payment to be done:
1. Customer Info
2. Billing Info
3. Credit Card Info
Should our form be hosted on the secure site as well?
As we understand, even if our site is unsecure, e.g.:
http://our-site/orderform.html
If it contains the:
<form method="post" action="https://some-payment-gateway/securelink/sslpmt">
...
</form>
The form fields will be transmitted through secure connection and no data is compromised.
Are we true or false?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
恐怕是假的。
如果您托管接受卡详细信息的页面,则该页面、运行该页面的计算机以及该计算机所连接的网络必须符合 PCI 标准。 (如果有人泄露了 orderform.html 并将收集到的详细信息重定向到其他地方怎么办)
如果您发现您的 some- payment-gateway Inc 很可能能够将用户重定向到他们自己托管的页面命令收集卡详细信息 - 这几乎总是明智的选择,因为它消除了您的大部分合规义务。
Re Braintree API
我用谷歌搜索他们并看到:
这似乎有点矛盾,他们似乎确实希望您在网站上收集银行卡详细信息 - 因此您需要遵守规定,他们确认了此处。
下载预先填写的 SAQ A 版本 2.0 并验证其与业务实践是否一致,这真是太好了。 ”链接和您可以利用的 QSA 建议 - 但我想指出的是,签署 SAQ 文件具有法律约束力,就像任何合同一样;如果您的系统遭到破坏并且存在欺诈行为,那么 SAQ 文件的签署具有法律约束力。可能会花费你很多钱。
False I'm afraid.
If you host a page that accepts card details then that page, the machine its running on and the network the machine is attached to must be PCI compliant. (What if someone compromised orderform.html and redirected the collected details elsewhere)
If you look there is a good chance that your some-payment-gateway Inc offers the ability to redirect users to pages they host themseleves in order to collect card details - This is almost always the sensible choice as it removes the bulk of compliancy obligations from you.
Re Braintree API
I googled them and saw:
Which seems a bit paradoxical, it does seems as though they do expect you to collect card details on your site - so you need to be compliant, which they confirm here.
Its jolly nice of them to have a "Download the pre-filled SAQ A version 2.0 and verify it is consistent with business practices." link & a QSA recommendation which you can take advantage of - but I would point out that signing off on the SAQ document is legally binding, just like any contract; if your system is breached and there is fraud, it can cost you an awful lot.