

Ask HN: Can someone explain PCI compliance to me in a nutshell? - tapan_pandita

What I basically need to do is pass on credit card info (credit card no., cvv, expiry) to a third party that will charge the card. Let's assume I cannot integrate stripe or another such service. I would also want to be able to store the card info for recurring payments. What is the PCI compliant way of doing this? I know that for PCI compliance, I am not allowed to save the cvv or other such data (even if encrypted), but there might be a gap in my understanding. Any PCI compliance experts here who can clarify on this?&#60;p&#62;tl;dr: Need to save credit card info (credit card number, expiry date, cvv) for recurring payments, what is the PCI compliant way to do it?
======
mindcrime
I don't know how much value you're going to get from a "in a nutshell"
explanation here. PCI compliance regulations are moderately complex and have
at least a handful of ambiguities and what-not, like any complex spec. If you
want to "roll your own" payment processing and store credit cards, you really
need to bite the bullet[1], download and read the spec, and - if you don't
feel pretty confident that you understand it - hire a consultant who
specializes in this stuff to help out. In either case, you should have a PCI
compliance audit done eventually to help ensure that you really are in
compliance.

Then, even after that, you have regular reports to do, etc., etc. Being, and
staying, PCI compliant can be a huge time sink.

All of that said, would a service like Spreedly[2] work for you? I believe
they can handle recurring payments / subscriptions, and they take care of
making sure everything is PCI compliant, so you don't have to do all of that
work. Unless billing and credit card processing is a core competency for your
company, I can't help but think you'd be better off outsourcing that bit.

[1]:
[https://www.pcisecuritystandards.org/security_standards/gett...](https://www.pcisecuritystandards.org/security_standards/getting_started.php)

[2]: <http://spreedly.com/>

------
jusben1369
Honestly I am from Spreedly but you should really just use Spreedly. It works
with 45+ payment gateways so I would hope there's one that would work for you.
You don't want to do this yourself.

------
PonyGumbo
Your understanding is correct - you cannot store CVV under any circumstances.
There's no way around this. When we do recurring payments, we're only able to
pass CVV on the first transaction.

