Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Can someone explain PCI compliance to me in a nutshell?
6 points by tapan_pandita on Feb 6, 2013 | hide | past | favorite | 3 comments
What I basically need to do is pass on credit card info (credit card no., cvv, expiry) to a third party that will charge the card. Let's assume I cannot integrate stripe or another such service. I would also want to be able to store the card info for recurring payments. What is the PCI compliant way of doing this? I know that for PCI compliance, I am not allowed to save the cvv or other such data (even if encrypted), but there might be a gap in my understanding. Any PCI compliance experts here who can clarify on this?<p>tl;dr: Need to save credit card info (credit card number, expiry date, cvv) for recurring payments, what is the PCI compliant way to do it?



I don't know how much value you're going to get from a "in a nutshell" explanation here. PCI compliance regulations are moderately complex and have at least a handful of ambiguities and what-not, like any complex spec. If you want to "roll your own" payment processing and store credit cards, you really need to bite the bullet[1], download and read the spec, and - if you don't feel pretty confident that you understand it - hire a consultant who specializes in this stuff to help out. In either case, you should have a PCI compliance audit done eventually to help ensure that you really are in compliance.

Then, even after that, you have regular reports to do, etc., etc. Being, and staying, PCI compliant can be a huge time sink.

All of that said, would a service like Spreedly[2] work for you? I believe they can handle recurring payments / subscriptions, and they take care of making sure everything is PCI compliant, so you don't have to do all of that work. Unless billing and credit card processing is a core competency for your company, I can't help but think you'd be better off outsourcing that bit.

[1]: https://www.pcisecuritystandards.org/security_standards/gett...

[2]: http://spreedly.com/


Honestly I am from Spreedly but you should really just use Spreedly. It works with 45+ payment gateways so I would hope there's one that would work for you. You don't want to do this yourself.


Your understanding is correct - you cannot store CVV under any circumstances. There's no way around this. When we do recurring payments, we're only able to pass CVV on the first transaction.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: