4

So, I've been tasked to work on an integration project where we will ask customers for credit card information and send it over to our integration partners, who will process the payment/cc info and process the rest of the order. So, one the tasks for become PCI compliant. However, the partner is also looking to get PCI compliant, and they said that as part of that process, they cannot accept cc info over the internet from an external source. But then I was reading about it, and found out there is some way to become a TPA (Third Party Accepter) that can allow the passing of the credit card to the partner.

I also heard the word FDMS thrown around at the first meeting - some research led me to believe this stands for First Data Merchant Services. What I found is that First Data is a merchant processor, who actually contacts the issuing banks to check the credit cards and then collect payment. The partner wants to achieve a level of PCI compliance where they do not store credit cards, so they said when they take credit cards they will send it to FDMS using something called TransArmor, where they send the CC info to FDMS and they send back a token - and that is what they use to access the CC info.

I did my research on this, and there is a lot of information out there, and I cannot find a clear and concise place where I can read about all of this - so I have a few questions on this whole process:

  1. Is there one place where I can read what exactly it takes to become PCI compliant?
  2. Are there different levels of PCI compliance?
  3. Where exactly does TPA fall into all this?
  4. Is there an example of how TransArmor works?
durron597
  • 7,590
  • 9
  • 37
  • 67
M.R.
  • 151
  • 6

1 Answers1

3

We are going through a similar process right now trying to meet PCI compliance. Our situation is a little different though as we already deal with a Merchant Processor (CyberSource) and they are fining us something like $50/month for not meeting PCI compliance standards. We are very close though.

Becoming PCI compliant is actually pretty straightforward as long as you delegate payments to a Merchant Processor like TransArmor. They handle all of the complexity of dealing with card services, banks, storing credit card numbers, and crediting your bank account. They are PCI compliant as well but their standards are MUCH stricter and MUCH more involved than yours will be. In turn for doing business with them they will take a small cut of every transaction.

The most important thing you can do is make sure you do NOT store credit card numbers anywhere on your system! Your site is external facing so SSL encryption and proper user account authentication, password hashing, and user activity logging is a given. A user will submit credit card details through your site and your server will simply be a middle man to your payment processor.

At the server side you will call an SSL encrypted web service hosted by TransArmor that will actually store the CC details for the user and they will return a token that you can associate with the users payment on your side. This token is low risk, and is essentially useless to a potential hacker that may have compromised your system.

Next you have to make sure that the web server(s) have highly restrictive firewall lockdown, even from sources internal to your network. Port 443 must be available outside for web traffic and you need a port open for communication with TransArmor but thats it. File sharing shouldn't be allowed and RDP is to be highly restricted with clearly defined users that are allowed remote access to the server (this is a fuzzy area for me and one we are still trying to figure out).

Other external factors can make you non compliant as well, (Eg. Physically insecure data center where server is hosted, anything other than WPA encrypted wireless access points ANYWHERE within your internal network, etc...)

The best answer I can give you is to start talks with TransArmor because it is in their direct interest to assist you in becoming PCI compliant and most merchant processors are extremely helpful on this front. Most have sophisticated tools that you can run within your network and on your server to help you identify where you are non compliant and what you need to do to become compliant. Cybersource assisted us with a checklist that we were able to step through and help identify tasks that we needed to perform to become PCI compliant.

Good luck in your project.

maple_shaft
  • 26,401
  • 11
  • 57
  • 131
  • 1
    +1 for checking with the Merchant Service Provider. Ultimately, they're the people who have to say you're compliant, and they're the best source for info. Also, they're kinda already contracted to help with these things... – Scivitri Oct 22 '11 at 04:36