HappyPappy Posted August 9, 2008 Share Posted August 9, 2008 Hi All, Must share this in case others are stuck. If your cart stores or transmits credit card data, even if it is to a proper payment gateway, your cart, hosting, network, the whole box and dice needs to be PCI compliant certified. There's no getting around it anymore. I spent a few weeks going back and forth to Visa, my bank and I even got a vulnerability scan on my hosting (terrible failed results cause I've got normal shared hosting), and a quote from a company that does auditing. I was left feeling the whole thing is just insane. But these are the rules now. A good friend of mine is paying off a $15,000.00 fine so ain't no way I want to risk it. Anyway, was about an inch away from walking away from everything and I read some blurbs on these new PCI manual payment gateways out now. A little bit of the too good to be true scenario but I jumped in and have not looked back. For those wanting a detailed explanation I should mention I can only report on the one I am now with, which is the e-Path Payment Gateway (http://e-path.com.au) Don't know about the others. With a manual payment gateway your cart never sees or touches credit card details so you offload the liability completely. There is NO PCI DSS compliance needed for your osc because your gateway is already PCI DSS compliant and under SSL. Suppose its like a glorified remotely hosted payment page except every gateway is unique to each owner and has its own encryption/decryption systems. I enter credit cards directly into my merchant account at my bank to charge the cards, which is a manual process but I've been able to id every single fake payment attempt recieved and delete them. So far I haven't transacted a single fake payment which is pretty remarkable considering last year fraud and charge backs cost me a little under 2 grand. So now I accept credit cards and am totally PCI DSS compliant and I haven't spent a cent on getting dedicated hosting, vulnerability scanning, auditing etc, etc, etc or any other rediculous stuff. e-Path have osc payment modules for their gateway. osc should have these built in as a PCI compliant manual option. I know heaps like to do things manually for offline transacting and these new gateways allow you to still do it that way and be totally PCI DSS complaint. Anyway, the message is if you don't mind doing things manually then you can be PCI DSS compliant very cheaply. Hope this info helps some who may be in a panic about PCI. Bye Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.