pci dss支付卡_敌对环境：支付，PCI DSS和英国数字业务

pci dss支付卡

I’ve written in the past about how to avoid hefty charges for the task of checking a few checkboxes when completing your PCI DSS SAQ A. I have been following this process for the last few years without problems. After all, my business never touches a card number. We (and our servers) never see a card number as card payments are taken on a payment page hosted on a Level One Certified PSP here in the UK – Sage Pay. Therefore we fully comply with the requirements for completing SAQ A – Card-not-present Merchants, All Cardholder Data Functions Outsourced.

过去，我写过关于如何避免在完成PCI DSS SAQ A时检查几个复选框的繁重费用的问题。过去的几年中，我一直在遵循此过程，没有出现问题。 毕竟，我的公司从来没有碰过卡号。 我们（和我们的服务器）从来没有看到卡号，因为卡付款是在英国此处的一级认证PSP （ 鼠尾草支付）上托管的付款页面上进行的。 因此，我们完全符合完成SAQ A（无卡商家，所有持卡人数据功能已外包）的要求。

输入Barclaycard数据安全管理器 (Enter Barclaycard Data Security Manager)

In November I received a letter from Barclaycard – our merchant account provider – stating that from now on I would have to use the Barclaycard Data Security Manager to comply with the PCI DSS.

11月，我收到了来自我们的商户帐户提供商Barclaycard的一封信，信中说，从现在开始，我将必须使用Barclaycard Data Security Manager来遵守PCI DSS 。

“Now here’s the good news. We’ve created Barclaycard Data Security Manager, a new programme which helps make it easier for your business to meet PCI DSS requirements.

“现在这是个好消息。 我们创建了Barclaycard Data Security Manager，这是一个新程序，可帮助您的企业更轻松地满足PCI DSS要求。

That’s nice … but perhaps not,

很好……但也许不是，

“… There will be a small charge of £5.80 for this service which will be applied to your statement every month.”

“……这项服务将收取£5.80的小额费用，该费用将每月应用于您的对帐单。”

I phoned Barclaycard and explained that, as in the past, I would complete my own SAQ A and upload it as we do not take or store any cardholder data and therefore our compliance requirements are very simple. I was told that I could not do this. I either needed to pay another QSA and upload validated documents, or go via the Barclaycard Data Security Manager at a cost of £5.80 per month on to of all the other charges we have to pay to process each payment.

我给Barclaycard打电话并解释说，和过去一样，我将完成自己的SAQ A并上载它，因为我们不会获取或存储任何持卡人数据，因此我们的合规要求非常简单。 有人告诉我我不能这样做。 我要么需要支付另一笔QSA并上传经过验证的文档，要么需要通过Barclaycard Data Security Manager来支付，每月的费用为5.80英镑，其中包括我们为处理每笔付款而必须支付的所有其他费用。

我们已经通过不获取卡数据来做明智的事情 (We are already doing the sensible thing by NOT taking card data)

I have spent years advising clients that if they can avoid processing card data themselves – and therefore needing to comply with PCI DSS at a higher level – then that is the way to proceed. In my opinion the banks should be making it as easy and inexpensive as possible for people to go that route. If you NEVER see a customer card number and those numbers are NEVER transmitted or stored on your servers then compliance should be a case of stating you do not store or transmit card data and giving the name of your Level 1 certified PSP. That is what SAQ A is intended for.

我花了多年的时间为客户提供建议，如果他们可以避免自己处理卡数据（因此需要在更高级别上遵守PCI DSS） ，那么这就是进行的方法。 我认为，银行应该使人们走这条路尽可能容易和便宜。 如果您从未看到客户卡号，并且从未在服务器上传输或存储过这些卡号，则应遵循以下规定：声明您不存储或传输卡数据，并提供经过1级认证的PSP的名称。 这就是SAQ A的目的。

The banks should be lining up to encourage people down that route and away from storing or processing card data, even via a PSP API, as it is there that there are more chances for dodgy code or poor security practices to enable card data to be compromised.

银行应该整齐地鼓励人们走那条路，甚至通过PSP API来避免存储或处理卡数据，因为那里存在更多的错误代码或不良安全做法，使卡数据受到破坏的机会。

返回巴克莱卡 (Back to Barclaycard)

Naturally I was going to argue this. I emailed Barclaycard to ask why I needed to pay to tell them I didn’t store card data. I would publish the replies here however Barclaycard have informed me that if I do I am breaching their terms and conditions, I was open about the fact I was not only interested in the answers to these questions for myself – but in order to advise other people. So I shall explain the official line of Barclaycard based on publicly accessible documents.

我自然会对此争论。 我通过电子邮件发送给Barclaycard，询问为什么我需要付款以告诉他们我没有存储卡数据。 我会在此处发布答复，但巴克莱卡德告知我，如果我违反了他们的条款和条件，我很开放，因为我不仅对自己为这些问题的答案感兴趣，而且还为他人提供了建议。 因此，我将基于可公开访问的文档来解释Barclaycard的官方路线。

The line from Barclaycard on PCI DSS self-assessment is that merchants were completing their forms incorrectly and therefore “in unnecessary danger of security breaches and card scheme fines”. This line is detailed in the Barclaycard FAQ, I don’t want to use Barclaycard Data Security Manager online service; where can I get a PCI DSS Self-Assessment Questionnaire (SAQ) from?

巴克莱卡（Barclaycard）关于PCI DSS自我评估的观点是，商家错误地填写了表格，因此“存在不必要的安全隐患和信用卡计划罚款的危险”。 此行在Barclaycard 常见问题解答中有详细说明， 我不想使用Barclaycard Data Security Manager在线服务。 从哪里可以获得PCI DSS自我评估问卷（ SAQ ）？

When I pressed Barclaycard they simply repeated the above information, in addition referring to a 2010 Visa alert which is something of a strawman as the issue raised would have more to do with the PSP than the merchant in terms of them providing a method for the merchant to identify that they are indeed the server they expect to be talking to. All the recent PSPs I have encountered have such methods in place.

当我按下Barclaycard时，他们只是重复了上述信息，另外还提到了2010年的Visa警报 ，因为这是一个稻草人，因为所提出的问题与PSP的关系要比商人更多，因为他们为商人提供了一种方法以确定他们确实是他们希望与之交谈的服务器。 我遇到的所有最新PSP都采用了这种方法。

They also inferred that due to the fact a PSP will also usually offer a “virtual terminal”, a web page where a merchant can go to enter phone orders, they may have other compliance issues. The fact remains that businesses selling services or digital products typically do not use a virtual terminal. Surely all we need to do is indicate that we never take card payments in any way other than via the PSP Payment Page?

他们还推断，由于PSP通常还会提供“虚拟终端”（即商人可以在其中输入电话订单的网页）的事实，因此他们可能还有其他合规性问题。 事实仍然是，销售服务或数字产品的企业通常不使用虚拟终端。 当然，我们需要做的所有事情就是表明，除了通过PSP付款页面之外，我们从不采取其他任何方式进行卡付款？

我们必须闭嘴 (We have to put up and shut up)

If we want to continue processing payments via Barclaycard there is little we can do other than pay their fee and go through the charade of completing their form and being charged for the privilege.

如果我们想继续通过Barclaycard处理付款，除了支付费用并完成填写表格并收取特权的手续外，我们无能为力。

If we ever had our hands on customer card data, even just by way of taking that number over the phone or it being on our servers prior to an API request being made to a third party then I would agree, it should be verified as to how we were keeping that data secure. However, like the majority of businesses like ours we never, ever see or have access to a card number. My argument is that there should be simplified compliance for people who can guarantee that is always the case, as an incentive to outsource complex security requirements to companies who are better placed to deal with them.

如果我们曾经处理过客户卡数据，即使只是通过电话将其提取，或者在向第三方发出API请求之前将其存储在我们的服务器上，那么我也同意，应该对其进行验证我们如何确保数据安全。 但是，像大多数像我们这样的公司一样，我们永远也不会看到或访问卡号。 我的观点是，应简化那些能够保证始终如此的人员的合规性，以鼓励将复杂的安全要求外包给更能应对这些问题的公司。

传输卡数据，条带与传统PSP (Transmitting Card Data, Stripe vs traditional PSPs)

This all gets even more strange if we take a look at Stripe. We thought of switching to Stripe but they don’t do true multi-currency. However I’m also a little confused about how they are enabling customers to bypass the PCI DSS as it does appear that a company using Stripe is at the least equivalent to one using a traditional PSP pay page and it could be argued that they are in fact transmitting card data.

如果我们看看Stripe，这一切将变得更加奇怪。 我们曾考虑过改用Stripe，但它们并没有真正的多币种。 但是，我对他们如何使客户能够绕过PCI DSS感到有些困惑，因为看起来使用Stripe的公司至少与使用传统PSP支付页面的公司相当，并且可以说他们处于事实传输卡数据。

The document Navigating PCI DSS states that,

导航PCI DSS文件指出：

“PCI DSS applies wherever account data is stored, processed or transmitted.”

“ PCI DSS适用于存储，处理或传输帐户数据的任何地方。”

Using our Level One Certified PSP payment page we neither store, process nor transmit card data. It never touches our server or a page hosted on our server. Nor is any code that enables the transmission of card data linked to our server.

使用我们的一级认证PSP付款页面，我们既不存储，处理也不传输卡数据。 它永远不会触碰我们的服务器或服务器上托管的页面。 也没有任何代码能够链接到我们的服务器来传输卡数据。

Using Stripe, payment data is collected and transmitted using a JavaScript API. Yet Stripe customers are not required to complete any SAQ, despite the fact that there is a higher theoretical risk at least of a compromise. For example could it be argued that there is potential for someone who has access to the server to replace the Stripe code with their own JavaScript? This is the same risk as indicated by the 2010 document sent to me by Barclaycard. I have asked Stripe these questions and they are of course able to comment here, and I’ll publish the clarification.

使用Stripe，使用JavaScript API收集并传输付款数据。 然而，尽管存在较高的理论风险（至少存在折衷办法），但Stripe客户无需填写任何SAQ 。 例如，是否可以说有人可以访问服务器，用自己JavaScript替换Stripe代码？ 这与巴克莱卡（Barclaycard）发送给我的2010年文件所指出的风险相同。 我已经问过Stripe这些问题，它们当然可以在这里发表评论，我将发表澄清。

My question isn’t whether Stripe is a secure way to take payment or not, or more or less secure than a PSP payment page. The only reason businesses using Stripe and businesses with an acquiring bank and PSP are treated differently – as far as I can see – is because if you have an acquiring bank they can tell you to pay whatever they feel like telling you to pay and you have no option but to pay it.

我的问题不是Stripe是一种安全的付款方式，还是比PSP付款页面更安全或更安全。 就我所知，使用Stripe的企业与拥有收单银行和PSP的企业被区别对待的唯一原因是：如果您拥有收单银行，他们可以告诉您付款，就像告诉您付款一样，别无选择，只能付钱。

PSP可以在这里施加压力吗？ (Could the PSPs put pressure on here?)

Stripe seem to be managing to collect and process payments without every customer needing to complete an SAQ. Could other PSPs not do the same? Digital businesses do not need virtual terminals or the ability to take phone orders. If the PSPs offered a digital business only type of account could they put pressure on the banks to allow customers using that service to be flagged compliant by the acquirer?

Stripe似乎在设法收集和处理付款，而无需每个客户都完成SAQ 。 其他PSP是否可以做同样的事情？ 数字企业不需要虚拟终端或接电话的能力。 如果PSP提供仅数字业务类型的帐户，他们是否可以向银行施加压力，以允许使用该服务的客户被收单方标记为合规？

This would seem to be to the benefit of the traditional PSP companies. If services like Stripe are managing to bypass compliance for their customers they are making it a much more compelling option to go with them. Especially if the acquiring banks are to start charging payment page only customers for compliance, as this makes the relative cost of Stripe (which is slightly higher than PSP/bank once you are at scale) seem a better option.

这似乎对传统的PSP公司有利。 如果像Stripe这样的服务设法绕过其客户的合规性，那么它们将成为与他们一起使用的更具吸引力的选择。 尤其是如果收单银行要开始仅向客户收取费用页面以确保合规性，因为这会使Stripe的相对成本（一旦达到规模，则比PSP / bank略高）似乎是一个更好的选择。

使用Stripe是定时炸弹吗？ (Is using Stripe a ticking time bomb?)

Conversely, should Stripe customers be concerned? What happens if there is a suspected compromise of card data and a Stripe customer is implicated? Will Visa and Mastercard start to look more closely at the operation? Will Stripe customers suddenly find they too need to comply with PCI DSS? Will transmitting card data via a JavaScript API be then treated the same as transmitting it over a SOAP or REST service and leave merchants needing to comply with more stringent security requirements including quarterly security scans?

相反，Stripe客户应该受到关注吗？ 如果怀疑有卡数据泄露并牵连到Stripe客户，该怎么办？ Visa和万事达卡会开始更密切地关注这一操作吗？ Stripe客户会突然发现他们也需要遵守PCI DSS吗？ 然后，是否将通过JavaScript API传输卡数据的方式与通过SOAP或REST服务传输卡数据的方式相同，并使商户需要遵守更严格的安全要求，包括每季度进行一次安全扫描？

请添加您的想法 (Please add your thoughts)

I don’t know the answers to these questions. I may have things wrong – the lack of transparency in this area means that you really only get to see the bits of the picture revealed by the companies you deal with. So the only way to get a full picture is if enough of us share what we know. My immediate future sees me continuing to use Sage Pay and Barclaycard and paying what I am told to pay, but I would love to see this whole area clarified for all of us selling digital products. At the moment I feel that the whole area of payments is pretty hostile and opaque to UK businesses, and in my experience – despite the arrival of Stripe – getting worse, rather than better.

我不知道这些问题的答案。 我可能做错了–在这方面缺乏透明度意味着您实际上只能看到与您打交道的公司所揭示的情况。 因此，获得全面了解的唯一方法是，如果我们中有足够的人分享我们所知道的东西。 在不久的将来，我会继续使用Sage Pay和Barclaycard并支付我被告知要支付的费用，但是我很乐意看到为我们所有人销售数字产品而阐明的整个领域。 目前，我感到整个支付领域对英国企业来说都是充满敌意和不透明的，而且根据我的经验（尽管Stripe到来）越来越差，而不是更好。

If you know anymore about any part of this puzzle please comment below. I will reiterate that what I am describing here is only those integrations that would normally allow the merchant to complete the self assessment SAQ A, and the fact that acquiring banks are now pressing their customers for additional fees to indicate compliance.

如果您进一步了解此难题的任何部分，请在下面评论。 我要重申的是，我在这里描述的只是那些通常会使商家完成自我评估SAQ A的集成，以及收购银行现在向其客户收取额外费用以表明合规的事实。

翻译自: https://rachelandrew.co.uk/archives/2013/12/12/a-hostile-environment-payments-the-pci-dss-and-uk-digital-businesses/

pci dss支付卡