As far as I understand it, and my knowledge at this point is very limited as I am just starting to dig into it, you swap the credit card number with a token and then the credit card details are stored on a remote server that is already PCI compliant. This then allows you to reduce the level of PCI compliance (as far as I know there is 1, 2 & 3 which 3 being the hardest to achieve but required if you store credit card info onsite) as you store this token you can repeat bill but I suppose its debatable if this is really any more secure, but at least the worse that can happen is they only make fraudulent transactions on your site and not use the card info anywhere else. PCI was created by card companies after all.
On 01/04/2009 23:11, "Adam Heath" <[email protected]> wrote: Sam Hamilton wrote: > Just starting down the path of PCI, so when I know more I will > let the list know. I was more thinking of getting compliance > by moving the storage of credit cards out of the database and > into the payment processors servers (secure storage based on > tokens) How would repeat billing work with that? Would each payment processing server have it's very own logic for handling repeats? Or would the payment submitter just reissue the request? If the latter, then it's barely more secure then actually having the credit card itself; you can still get the money.
