New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
PCI DSS Compliance
Dumbledore
Member
in Help
Does anyone here have any experience with achieving PCI DSS Certification for your application ?.
Comments
https://www.itgovernance.co.uk/
This will be expensive.
I found many compliance solutions providers on Google. But most of them don't provide any detailed information about the certification process.
Reach out to the above guys. This is tailor made stuff depending on what the scope is etc. They do compliance for quite a few of our vendors as well.
Thanks, I have contacted them.
Just in case this is relevant to your situation, have a quick look at https://www.spreedly.com/pci
By using a third party to store sensitive payment data, you can circumvent an expensive audit of your code.
What exactly do you want to achieve? I currently work for a fintech company which is PCI DSS certified and i can tell you it involves a lot of planning, a lot of work, a lot of paperwork and a lot of expenses. Granted you are probably looking for a different type of certification, but it is not going to be cheap.
It seems they don't support our payment gateway. I have to check in detail.
This depends for what you wan't reach PCI DSS compliance, do you have a website where you wish to store CC data or you want processing 3rd party payments or ... ?
Without to know more, no one can say what is involved or what it will cost.
We have a payment aggregator application hosted on AWS. It processes a good number of transactions. Currently, it uses payment gateway's page to input card details. Now we are looking for a seamless integration. So our payment gateway asked us to get PCI certified. Also, We don't want to store any card details.
I have explained above. We don't want to store any card details. It will be passed to PCI DSS certified payment gateways only.
Thought it was worth a mention in case you weren't aware that you do not have to go through the whole rigmarole of full PCI DSS compliance. There are likely other options available. Spreedly are also quite responsive, if they're missing a payment gateway it may be worth asking them if they will/are intending to support them in future.
Or just use PayPal standard, Stripe (through their web form) , 2co (through their website).
Really no need to store, receive or transmit such sensitive data unless you are a big ass start up with lots of cash.
We already have non-seamless integration with these gateways already. We think now it's a good time to go seamless.
I know it's a lengthy and costly process. But can't find a ballpark figure anywhere since its a customised service. We are already in talks with a couple of vendors. I just wanted to know if anyone here has experience with certification.
Since you are not going to store cc details, it might not be that hard to achieve. Also not as expensive as you might think since not all the steps will apply to your case.
The key difference which you've already alluded to is that you're not handling credit card details. This means your costs are close to zero, 3rd parties aside.
I think he mentioned he is not storing them, he didn't, however, say that he is not processing them on his server and that's crucial to limit the scope.
The moment the card details touch the server this becomes expensive.
We just don't store it but will be transmitting card details so we need to be PCI DSS compliant. PCI DSS compliant badge is a requirement for seamless integration.
Fair point to be clear on, that's why I said 'handling'. Spreedly for instance, uses an iframe to submit customer CC details, so the level of PCI compliance is low.
In that case, off the top of my head it'd be a low 5 figure USD amount depending on the complexity of your code. You code needs to be independently verified.
I'm not sure if this is absolutely necessary for your requirements. You can use a third party provider like spreedly, allow a customer to enter their details once, and you'll receive a payment token where you can charge recurring payments if you wish. No overhead of a code audit.
I'm speaking from only a little experience in this area, mind you, but am generally aware that handling credit card details massively increases your compliance requirements.
I hope its a one time cost. Not an arc.
I will talk to spreedly about our requirements. If they can help us, It will bring down the cost substantially.
This thread got by filled by completely wrong information.
What you have to do is a quertely PCI Scan trough a accreditted ASV and a yearly SAQ.
PCI Scan you get from USD 150 per year.
The SAQ you can fill self, it will take 1-2 hours.
This is a real information based on my own, aside that I also store CC data for One-click payments and subscriptions.
In case you have more then 1 M transactions with VISA or Mastercard you must reach Level 3 complinace which require On-Site scan and Software Audits, this will cost 5 figures.
This is what I thought first. But it seemed too easy. Do I have to audit my code for PCI DCC certification? or just external quarterly scan + SAQ ?.
Edit: I only need Level 4/3
if you don't have more then 1M transactions yearly with VISA or Mastercard means Quarterly PCI Scan plus SAQ that's all.
Yes it's that easy, but there are many companies around that would like to earn on them.
As we're on LET: you will find Hackerguardian Resellers that sell yearly Subscription for around $150.
Some acquirer offer free Scans trough a partnership with a ASV.
Thanks for the information. I contacted them directly. They suggested me to get their HackerProof which includes unlimited scans and has the Trust Mark seal.
It’s a recurring cost, and in addition to it whenever you do changes in this code.
Not for their iframe implementation, you're paying a flat fee depending on how many payment tokens are stored. Once your implementation of the iframe is set, that is it.
You sure we need to audit our code ?.
I'm going for full PCI compliance.
In that case, just measure up the cost of your audit vs 3rd party implementations. You've had two ballpark figures, longer term if you have the volume it may work out cheaper.