PCI compliance

Hi support,

On the webpage with Payment Gateways I am missing information about the PCI compliance per payment gateway / provider. It would be really handy if it was mentioned if the website must be PCI compliant to use certain payment gateway integrations mentioned on this page. For some integrations I could get information on the payment providers' website.

If I am right PCI compliance is not needed when using Mollie and PayPal Standard integration. But I am not sure about some of the other payment providers I was looking at like Stripe, Authorize.net, CIMB, and E-way. It seems to depend on the type of integration Solidres has made. Could you tell me for which payment providers the website must be PCI compliant? Thank you for your help!

Best regards,
Sandra

Hi,

Nice week to you.

You are right about Mollie and PayPal Standard.

About other payment methods, it is best to consult the payment gateway company directly, the following links could be useful for you:

www.eway.com.au/about-eway/technology-security/pci
stripe.com/docs/security

Regards,

Thanks for your reply! I checked E-way Payment Provider and there are so many different API-integrations mentioned on their site: There are eWAY rapid APis and Legacy APIs. Now my question is: what type of API integration does Solidres offer hospitality businessess and platforms? This determines which PCI compliance requirements there are for their website. Below are the different API-integrations mentioned on eWay:

eWAY Rapid APIs
Responsive Shared Page - SAQ A (14 requirements)
Rapid iFrame - SAQ A (14 requirements)
Transparent Redirect - SAQ A - EP (140 requirements)
Client Side Encryption - SAQ A - EP (140 requirements)
Direct Payments - SAQ D (326 requirements) 
MOTO within MYeWAY - SAQ C - VT (73 requirements)
PayNow Button - SAQ A (14 requirements) 
​​
Legacy APIs
Direct XML - SAQ D (326 requirements)
Direct XML Stored - SAQ D (326 requirements)
Direct PreAuth XML - SAQ D (326 requirements)
Shared Payments - SAQ A (14 requirements)
Managed Payments Token Web Service - SAQ D (326 requirements)
Rebill XML API - SAQ D (326 requirements)
Rebill Web Service - SAQ D (326 requirements)

The following details I found on the Stripe website about the PCI compliance:

All Stripe users must be compliant with the PCI Data Security Standards (PCI DSS). Checkout and Stripe.js meets the requirements and security constraints of the Self-Assessment Questionnaire (SAQ), SAQ A, by performing all transmission of sensitive cardholder data within an IFRAME served off of a stripe.com domain that is controlled by Stripe.
As long as you serve your payment pages over TLS, and use either Checkout or Stripe.js as the only way of handling card information, Stripe automatically creates a prefilled SAQ A questionnaire for you, and you won’t need to undergo a PCI audit. If card data is stored or transferred through your servers, you are responsible for following PCI DSS guidelines for handling card data, and periodic audits by a PCI-certified auditor.

Now my question is: does Solidres use CheckOut and Stripe.js in its Stripe integration? And if not what type of integration does Solidres has with Stripe?

I can tell you it is very time consuming to search and read all this information about PCI compliance and API integrations. I am a bit disappointed that Solidres does not give sufficient information about what type of API integration Solidres has with the payment providers it connects to. You could give more information on the page where you sell these integrations as 6 months subscriptions. Only your company knows which integrations are exactly made between Solidres and these payment providers /gateways, and what that means for PCI compliance. If you let your customers pay a subscription fee for integration with payment providers it seems fair you give more information about these integrations.

Best regards,
Sandra

Hi,

About eWay payment plugin, Solidres uses the Direct Payment method.

About Stripe, Solidres does not use Checkout or Stripe.js, and the card info is transferred via your servers therefore you will need PCI compliance. Solides connect to Stripe via the REST API as described here:

stripe.com/docs/api

We will try our best to update more information about PCI in the payment gateway page in the near future. Let us know if you have further questions.

Regards,

Hi support team,

Thank you for the information. I hope Solidres will also add more payment integrations that don't go through the own website server. I saw that its possible with Stripe, eWay and Authorize.net. I think using servers of payment providers is a more simple and secure way for hospitality businesses to charge customers or to authorize credit cards, because they don't need to worry about PCI DSS compliance. I suppose it also saves on server data.

Can the payment integrations you offer be used in the same way when having a booking portal? I am asking, because it means that a lot of hospitality businessess will use one or more payment options on the booking portal website. My site uses a private SSL certificate with an dedicated IP-address.

Best regards,
Sandra

Hi,

Nice week to you.

Yes we agree with you that although all integrated payment methods (guests are not redirected to external website to complete payment) offer a more seamless booking experience but requires PCI DSS compliance for the website owners.

We will add Stripe.js option to the current Stripe payment plugin in next v0.3.0 release, please stay tuned.

All payment plugins can be used the same way when Hub plugin is available or not.

Regards,