pci dss_使用托管付款页面时符合PCI DSS

pci dss

This is part two of a post about moving away from PayPal to your own merchant account and hosted payment page solution – read part one here. The advice below is for those who are using hosted payment pages on a compliant Payment Service Provider (PSP) and is based on my experiences, please always check with your bank and PSP.

这是有关从PayPal转移到您自己的商人帐户并托管付款页面解决方案的文章的第二部分 - 在此处阅读第一部分 。 以下建议适用于在符合规定的付款服务提供商（ PSP ）上使用托管付款页面的用户，并且根据我的经验，请始终与您的银行和PSP联系 。

The Payment Card Industry Data Security Standard is the source of large amount of misinformation and appears to be becoming a nice little earner for companies who will help you to become compliant. If you are only using a hosted Pay Page as described in my last post, card numbers are never entered on your server, and you do not take phone/fax or in-person orders that you process through a physical or virtual terminal then PCI Compliance is a simple process of filling out a form. It takes a few minutes.

支付卡行业数据安全标准是产生大量错误信息的源泉，对于正在帮助您变得合规的公司而言，它似乎正在成为赚钱的好机会。 如果您仅使用我上一篇文章中所述的托管付款页面，则卡号永远不会输入到服务器上，并且您不会接受通过物理或虚拟终端处理的电话/传真或亲自下达的订单，然后进行PCI合规性检查是填写表格的简单过程。 这需要几分钟。

You might first become aware of needing to comply with the PCI DSS when your bank sends you a letter telling you that you are non-compliant and so they are going to take an extra percentage of each transaction they process. This letter will point you to a third party company who will help you to become compliant – for a fee.

当您的银行向您发送一封信告诉您您不合规时，您可能首先意识到需要遵守PCI DSS ，因此他们将在处理的每笔交易中占额外的百分比。 这封信将把您引向第三方公司，该公司将帮助您遵守法规（收费）。

I object to paying people to fill in forms for me and so when this happened after switching our payments for Perch away from PayPal to a full PSP and merchant account solution, I told the third party that I would be completing the form myself and was given an email address to send it to once I had done that.

我反对付钱给我填写表格，因此在将我们将Perch的付款从PayPal转换为完整的PSP和商户帐户解决方案后，这种情况发生时，我告诉第三方我将自己填写表格并得到完成此操作后，将其发送到的电子邮件地址。

完成SAQ A (Completing the SAQ A)

If you are only taking payments via a third party hosted payment page and the PSP is “Level One PCI Compliant” you need to fill in the form called SAQ A.

如果您仅通过第三方托管的付款页面进行付款，并且PSP为“符合PCI一级”，则需要填写SAQ A表格。

The role of this form is to declare that you don’t handle any card data but outsource all of that to your PSP, however you need to declare this in the most confusing and unclear way possible. Below I have explained what was accepted for us – I am not an expert in PCI compliance, so use this information at your own risk, and obviously if you are touching cardholder data in any way you need to get advice as to which SAQ you need to complete.

该表格的作用是声明您不处理任何卡数据，而是将所有数据外包给PSP ，但是您需要以最令人困惑和不清楚的方式进行声明。 下面，我解释了我们接受的内容–我不是PCI合规性方面的专家，因此使用此信息需您自担风险，并且很显然，如果您以任何方式接触持卡人的数据，都需要获得关于所需SAQ的建议。去完成。

Part 1 and 2a contains some basic company details you need to complete.

第1部分和第2a部分包含您需要完成的一些基本公司详细信息。

Part 2b. Eligibility to complete SAQ A is where the form checks that you are not actually doing anything other than using a PSP. So you should be able to check all of these if you never touch, see or hear credit card information and have no access to it.

第2b部分。 符合资格完成SAQ A的地方是表格检查您除了使用PSP之外实际上没有做任何其他事情。 因此，如果您从不接触，查看或听到信用卡信息并且无权访问，则应该能够检查所有这些信息。

Part 3 is where you confirm that you are compliant, so you can tick the compliant checkbox. In Part 3a you need to confirm that PCI DSS Self Assessment Questionnaire was completed according to the instructions therein. The questionnaire this refers to will be at the bottom of the document you are completing if you downloaded the SAQ A Self Assessment Questionnaires rather than just the Attestation of Compliance.

在第3部分中，您确认自己符合要求，因此可以选中符合性复选框。 在第3a部分中，您需要根据其中的说明确认是否完成了PCI DSS自我评估问卷。 如果您下载的是SAQ A自我评估问卷，而不仅仅是合规证明，则此问卷将位于您要完成的文档的底部。

自我评估问卷A (Self Assessment Questionnaire A)

Despite the fact that we have declared that we do not touch or store any cardholder data, you have to indicate that you have completed a questionnaire which asks what you do with the cardholder data you store. Baffled? I was too. If you need to submit this questionnaire in completed form then go down the form entering N/A in the column headed “Special”. Then keep on scrolling until you find the … Appendix D: Explanation of Non-Applicability and here we can explain, again, that we don’t touch any cardholder data. Under requirement you need a line for 9.6, 9.7, 9.8, 9.9, 9.10 and in the column “reason requirement is not applicable” put something like “Cardholder data is never received or stored by us”, then create a line for 12.8 and write “cardholder data is never shared with service providers”.

尽管我们已经声明我们不接触或存储任何持卡人数据，但您仍必须指出您已完成问卷调查，询问您对所存储持卡人数据的处理方式。 莫名其妙？ 我也是。 如果您需要以填写完整的形式提交此调查表，请在“特殊”列中的“ N / A”下填写表格。 然后继续滚动，直到找到……附录D：不适用的说明，在这里我们可以再次说明，我们不涉及任何持卡人数据。 根据要求，您需要一行用于9.6、9.7、9.8、9.9、9.10的行，并在“理由要求不适用”列中输入“我们从未收到或存储持卡人数据”之类的内容，然后为12.8创建一行并写入“持卡人数据永远不会与服务提供商共享”。

You can then happily check the checkboxes under Part 3a, sign and date the form and send it by whatever method your bank or their third party company has requested.

然后，您可以愉快地选中第3a部分下的复选框，在表格上签名并注明日期，然后通过银行或第三方公司要求的任何方法将其发送。

如果你的情况改变了 (If your situation changes)

Remember that it is up to you to maintain compliance. As long as your situation doesn’t change and you continue to only take card payments via a page hosted on a secure PSP, then each year you will just need to fill out this form and you are deemed compliant. If you do start doing anything that involves you processing, handling or storing card numbers then you need to take advice as to which level of the PCI DSS you need to comply with. Having dealt with applications that do store card data in the past I am very happy to continue to outsource that liability to my PSP for my own business.

请记住，要由您来保持合规性。 只要您的情况没有改变，并且您继续只通过安全PSP上托管的页面进行卡付款，那么每年您只需要填写此表格即可被视为合规。 如果您确实开始做任何涉及处理，处理或存储卡号的事情，那么您需要就需要遵循哪个PCI DSS级别提出建议。 过去处理过处理存储卡数据的应用程序后，我很高兴继续将这笔责任外包给我自己的PSP 。

让我知道你的经历 (Let me know your experiences)

It is really hard to get any reasonable information and guides to complying with the PCI DSS. The cynic in me says this is because the banks and third party security companies are making money out of this. If you are storing cardholder data then it stands to reason that complying with strict security measures is important, however for those of us who have sensibly opted to pass this responsibility onto a third party I really wish this process wasn’t made to seem more complicated than it is.

确实很难获得任何合理的信息和遵循PCI DSS的指南。 我心中的愤世嫉俗者说，这是因为银行和第三方安全公司正在从中赚钱。 如果您要存储持卡人数据，则有理由认为遵守严格的安全措施很重要，但是对于我们明智地选择将此责任转移给第三方的那些人，我真的希望不会使此过程看起来更加复杂比它是。

So, if you have any experiences or information that might help other people with the SAQ A or see any errors in my information please add a comment. I have written this purely from my experience, I’m sure it can be improved with input from other people who have worked with different banks and PSPs – let’s make sure this information is available so people aren’t paying someone else to fill in a form that essentially says “we don’t touch any cardholder data”.

因此，如果您有任何经验或信息可以帮助他人使用SAQ A或发现我的信息中有任何错误，请添加评论。 我纯粹是根据我的经验写的，我确信可以使用与不同银行和PSP一起工作过的其他人的意见来改进它-让我们确保此信息可用，这样人们就不必付钱给其他人来填写基本上说“我们不接触任何持卡人数据”的表格。

翻译自: https://rachelandrew.co.uk/archives/2011/09/16/complying-with-pci-dss-when-using-a-hosted-payment-page/

pci dss