Disclaimer: I am not a lawyer. This is just my understanding. As far as PCI goes, you don't want to have credit card numbers ever touch your server. Even if you don't store them, just having the credit card numbers pass through your server puts your server under PCI scope. At that point you have to get a PCI auditor to check out your setup (or you can self-certify if you are small enough, I think). As far as I can tell, the best way around that is to have the payment form data posted directly to whatever the payment gateway/ERP system is. If the credit card numbers never touch your server you are ok. (The paypal module (and maybe others) does this already.)
Braintree has some PCI compliance resources. They also sell PCI compliance services, so they do have a vested interest. http://www.braintreepaymentsolutions.com/services/pci-compliance Good luck! Alex On Mon, Aug 30, 2010 at 11:12 AM, Stuart Laughlin <[email protected]> wrote: > On Mon, Aug 30, 2010 at 10:58 AM, Alex Robbins > <[email protected]> wrote: >> Buried in work for me. >> >> Yeah, I'd just grab the simplest payment module I can find, then strip >> out whatever does the actual payment. You might look at the dummy or >> autosucess modules and see what they are doing. The auth.net module >> has a lot of code you won't need. >> >> Hope that helps, >> Alex >> > > Alex, that does help; thanks for taking the time to reply! > > I'm a little nervous about the whole thing as it could involve storing > credit card number and then transmitting that info to their ERP, etc. > I believe there are some laws around doing such things here in the US. > But for the sake of this public conversation, let's assume that I'm > going to be doing everything according to the letter of the law, shall > we? ;) > > Any additional comments / advice on how to approach this are very welcome! > > > Thanks again, > > --Stuart > > -- > You received this message because you are subscribed to the Google Groups > "Satchmo users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/satchmo-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Satchmo users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/satchmo-users?hl=en.
