> On Feb 25, 2016, at 1:28 AM, [email protected] wrote: > > Don't fall for regulation scare talks, there should be no reason to > put something outside local premises except payment processing which > is a well developed monetary system service from banks etc. >
Since I deal with credit card security in my professional life I’ll chime in. PCIDSS are the primary security standards you (or your client) need to deal with. These are not governmental standards but are set by the payment card industry (JCB International, Visa, MasterCard, etc.). While there may be government regulations they are typically less stringent than PCIDSS. The standards vary based on how credit cards are being handled. If, as suggested, you allow a third party (Paypal, Square, your bank) to do the actual payment processing and at no point in time your does server asks for (or handles) a credit card number your life is much simpler. If you develop a web form that asks for a credit card number (even if you pass it back to the bank for processing) you have to comply with more regulations. You can choose the path that makes the most sense by taking at look at the requirements at https://www.pcisecuritystandards.org/.
