Very helpful; thanks!
--Stuart On Mon, Aug 30, 2010 at 11:34 AM, Alex Robbins <[email protected]> wrote: > Disclaimer: I am not a lawyer. This is just my understanding. > As far as PCI goes, you don't want to have credit card numbers ever > touch your server. Even if you don't store them, just having the > credit card numbers pass through your server puts your server under > PCI scope. At that point you have to get a PCI auditor to check out > your setup (or you can self-certify if you are small enough, I think). > As far as I can tell, the best way around that is to have the payment > form data posted directly to whatever the payment gateway/ERP system > is. If the credit card numbers never touch your server you are ok. > (The paypal module (and maybe others) does this already.) > > Braintree has some PCI compliance resources. They also sell PCI > compliance services, so they do have a vested interest. > http://www.braintreepaymentsolutions.com/services/pci-compliance > > Good luck! > Alex > > On Mon, Aug 30, 2010 at 11:12 AM, Stuart Laughlin <[email protected]> > wrote: >> On Mon, Aug 30, 2010 at 10:58 AM, Alex Robbins >> <[email protected]> wrote: >>> Buried in work for me. >>> >>> Yeah, I'd just grab the simplest payment module I can find, then strip >>> out whatever does the actual payment. You might look at the dummy or >>> autosucess modules and see what they are doing. The auth.net module >>> has a lot of code you won't need. >>> >>> Hope that helps, >>> Alex >>> >> >> Alex, that does help; thanks for taking the time to reply! >> >> I'm a little nervous about the whole thing as it could involve storing >> credit card number and then transmitting that info to their ERP, etc. >> I believe there are some laws around doing such things here in the US. >> But for the sake of this public conversation, let's assume that I'm >> going to be doing everything according to the letter of the law, shall >> we? ;) >> >> Any additional comments / advice on how to approach this are very welcome! >> >> >> Thanks again, >> >> --Stuart >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Satchmo users" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/satchmo-users?hl=en. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Satchmo users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/satchmo-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Satchmo users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/satchmo-users?hl=en.
