Originally Posted by Jason95357
Just my two cents, but hosting any sort of PCI stuff and doing it correctly is a major pain (at least at the merchant level of transactions/dollars we were dealing with). Our processor didn't charge anything different to have the payment form hosted by them (as opposed to our server forwarding the results of the form to them via a back-end connection), so we went that route. Basically we have an iframe that loads from their page when they go to purchase and after the purchase the iframe is redirected back to our page. The customer doesn't know they ever left our site, but as far as PCI is concerned it is all third-party hosted (our server never sees any payment info), so the only thing we have to do for PCI is annually have a statement from the processor that they are PCI compliant and we are done.
AGREED - most gateways out there host the actual transaction data on their server which removed nearly all PCI liability. However, the merchant STILL has to be PCI Complaint. But as opposed to major work and network scans etc, most merchants (unless you are EXTREMELY big volume) simply need to complete a SAQ (Self Assessment Questionnaire) that attest to the fact that transaction data if off loaded to the gateway and the merchant does not store any card holder data.
PCI goes beyond the electronic transmission of data. To be PCI Complaint you have to be sure not to store cardholder info even on paper in theoffice. If you get faxed orders for example with full cardnumbers, SHRED EM as soon as you enter the sale into the gateway.
PCI is a mess if you are storing data..... fairly easy to deal with is using a gateway to store the data. Also many processors are charging a "PCI MONTHLY FEE" if you are compliant PLUS a "NON COMPLAINT FEE" if you are not. Often this 20-30 fee can be eliminated simply by completing the SAQ...
Business owners... check you CC Processing statements... if you are being charged a PCI NON COMPLIANT FEE.... you are wasting money...