The usual model
(Gateway)
A merchant account sits in the middle between
you and the bank
• PayPal, Google Wallet, WorldPay, Realex, NAB
• Annual/mon...
Connects your site to the merchant account
– Collects personal information: name, address etc.
– Collects payment card inf...
High level – collect, validate and process user &
payment information
Type 1 = Merchant collects transaction info
– This i...
Payment Card Industry Data Security Standard
“a set of requirements designed to ensure that ALL companies
that process, st...
Are you PCI compliant if you just have an SSL
certificate installed? i.e. HTTPS://
Even if I a fancy shmancy 1024-bit mili...
Are you PCI compliant if you just have an SSL
certificate installed? i.e. HTTPS://
HELL NO
Not even close!
PCI compliance ...
• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for syste...
Stripe – US & UK/Europe
– “Payments for Developers”
– No need for merchant or gateway
– API access for payment transaction...
Pin Payments – Australia
– No need for merchant or gateway
– API access for payment transactions
– 3% + 30c + $50/month
– ...
Both Stripe and Pin means YOU need to be PCI
compliant.
You are storing/transmitting/processing
cardholder data.
http://www.examiner.com/images/blog/wysiwyg/image/bankteller.gif (1)
http://blaze1.findmyhosting.com/display/img/elements/...
On-line Payments and PCI DSS Compliance
On-line Payments and PCI DSS Compliance
Upcoming SlideShare
Loading in …5
×

On-line Payments and PCI DSS Compliance

739 views
487 views

Published on

High level overview of how on-line payments work and the compliance you need to be aware of. Presented at WordPress Sydney meetup July 2013.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
739
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
30
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

On-line Payments and PCI DSS Compliance

  1. 1. The usual model (Gateway)
  2. 2. A merchant account sits in the middle between you and the bank • PayPal, Google Wallet, WorldPay, Realex, NAB • Annual/monthly fee • Transaction fee % + fixed amount /transaction • Multiple currencies? – May require multiple merchant accounts – Higher exchange rate (interbank rate + extra %)
  3. 3. Connects your site to the merchant account – Collects personal information: name, address etc. – Collects payment card information – Validates input (hopefully) – Passes information to merchant account – Waits for a response from merchant – Acts on the response: success/fail/badger???
  4. 4. High level – collect, validate and process user & payment information Type 1 = Merchant collects transaction info – This is done on the merchants own site – Usually cheaper merchant account – PCI compliance is *mostly* merchants responsibility Type 2 = You collect transaction info – This is done on your own site – Usually more expensive merchant account – PCI compliance is your own responsibility
  5. 5. Payment Card Industry Data Security Standard “a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.” Who does this apply to? “PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data*. ” *not just card data Ref: http://www.pcicomplianceguide.org/ Ref: http://www.cio.com.au/article/400300/what_pci_compliance_/
  6. 6. Are you PCI compliant if you just have an SSL certificate installed? i.e. HTTPS:// Even if I a fancy shmancy 1024-bit military grade SLL certificate?
  7. 7. Are you PCI compliant if you just have an SSL certificate installed? i.e. HTTPS:// HELL NO Not even close! PCI compliance is a lot more than just an SSL cert.
  8. 8. • Install and maintain a firewall configuration to protect cardholder data • Do not use vendor-supplied defaults for system passwords and other security parameters. Always change vendor-supplied defaults before installing a system on your network • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks. Use strong cryptography and security protocols • Use and regularly update antivirus software. Make sure that your antivirus software remains current and actively running • Develop and maintain security systems and applications • Restrict access to cardholder data by business employees on a need-to-know basis only • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes • Maintain a policy that addresses information security Ref: http://www.cio.com.au/article/400303/pci_compliance_checklist/ Ref: http://www.cio.com.au/article/400306/pci_compliance_requirements_aussie_businesses/
  9. 9. Stripe – US & UK/Europe – “Payments for Developers” – No need for merchant or gateway – API access for payment transactions – 2.9% + 30¢ - no monthly fees – https://stripe.com/
  10. 10. Pin Payments – Australia – No need for merchant or gateway – API access for payment transactions – 3% + 30c + $50/month – Flat exchange rate of 4% + interbank rate – https://pin.net.au/
  11. 11. Both Stripe and Pin means YOU need to be PCI compliant. You are storing/transmitting/processing cardholder data.
  12. 12. http://www.examiner.com/images/blog/wysiwyg/image/bankteller.gif (1) http://blaze1.findmyhosting.com/display/img/elements/ecommerce-diagram.jpg (2) http://stripe.com/ (9) http://pin .net.au/ (10)

×