PCI Compliance. Pass credit card information to a 3rd party API - e-commerce

I have an application that requests Credit Card information to do a payment to a third party company.
My application captures the CC, CVV, Expiration Date, etc. and then passes that information to their API that charges the customer.
I've been reading about PCI Compliance but based on the following image, I am not quite sure what level of compliance I would need to meet.
Lastly, I would like to figure out what would be the best options for me in case I have a new purchase from the same client. Since I am not charging the customer but the third party does, how would be the best way to store the payment information so user doesn't need to enter his information every single time they want to use my service? What would be the implications of storing payment information on my servers from a PCI compliance point of view? Is there a way where I don't need to store the payment information for the user but I can pass their information (if they are a returning customer) to 3rd party API and still being PCI Compliance?

Since you're building a web application (even embedded into Facebook messenger), if you're building out the form that collects card data, you're going to either fall under "Shopping Cart - Payment Page Direct Post" (which is A-EP) or "Shopping Cart - Payment Page Not Outsourced" (which is D-Merchant). You really want to be under A-EP if you can, but you may not be able to.
The difference between the two is whether or not the card data crosses through your servers. With "Direct Post", the web page itself sends the data (usually via HTTP POST) to the payment API, and you have no way to capture it. With "Not Outsourced", the data comes back to your server, which then calls the payment API and passes it along. In that case, you're going to have to go through the entire D-Merchant questionnaire (by far the longest, other than D-Service Provider), and probably have a special environment set up to prevent anything from trying to read the card data as it transits your server.
There's really no part of the card data that is worth storing to try and identify a repeat purchaser, because you won't have the payment data to actually complete a payment. Instead, you should see if your payment provider provides any type of "token", which can be used to identify that payment data later. If so, you can associate that token with the customer (however you identify a customer) and reuse it when they return.
Further reading: https://www.pcisecuritystandards.org/documents/SAQ_InstrGuidelines_v3-1.pdf

Related

Paypal API for recurring payment based on usage

I am currently upgrading an old system writing in JSF, which communicates with Paypal to create an "Acceptance term" for recurring payment, it generates a Token and when the client accepts the term, it creates an Agreement Id, later we use these to charge the client based on the services he used.
On the Paypal developer website, the Billing Agreement API is marked as deprecated, so I can´t work with it, they offer the Subscription as an alternative, but it doesn´t give the Agreement Id or the possibility to charge the user based on the usage, at least, not that I´ve seen.
Is there a way to create the Token and Agreement, or to use the Subscription (or other methods) to charge the user based on that?
eg. We offer a mobile plan for U$ 10, plus U$ 5 if the user sends more than 1000 messages, we first check if that happened, then we charge the user.
If the account is approved for reference transactions, and it sounds like it may be, you can use the Vault API which is in open beta, in conjunction with the orders API. See this example.

How to process credit cards without PCI DSS on backend

I have a JS front-end that communicates with the back-end via REST API and I need to process credit cards. I do not want to get into the full PCI DSS compliance stuff and I don't need to since I am using 3rd party provider(Stripe, Braintree..) that provide tokenization.
But the issue I have is that I do not want the JS front-end to handle the tokenization of the CC details but I want the front-end to send the CC data to the back-end and the back-end will then use the payment gateway API to tokenize the CC data and store it instead of the real CC data.
Since the CC data enters the back-end is is considered processing of the CC data(not storage) which means I have to handle PCI compliance in a way.
So I am wondering if there is some easy way to avoid doing some over-complicated code/infrastructure changes in order to be compliant?
If you don't want to have to qualify for SAQ C/D then you cannot send your customer's PAN to your server, period. It has to go to your payment gateway first, and then you can take whatever payload they give you and send it to your server.
Since I am more familiar with their services, I can describe the two ways Braintree handles this:
1) Drop-in UI - With this method, you'll create a div on your payment page and add a little javascript in your frontend code that converts the node into a payment form. Once they fill out the payment form, the information will sent directly to Braintree, and they will return a payment nonce to you that you can safely send to your server without any PCI concerns.
2) Hosted Fields - The options to style the Drop-in UI are a bit limited, so if you need the ability to add custom fields that you have full control to style and place on your page as you want, then you are looking for hosted fields. It basically creates a series of iframes on your page that you can style like regular HTML inputs, and then when your customer fills them out and clicks "submit," the data is once again submitted to Braintree first, and you get a payment nonce back that you can send to your backend API and do whatever you'd like.
Just to make sure I've been clear though - there is currently no way to send plaintext credit card information to your server without having to fulfill the more rigorous PCI SAQ levels.

How to use Big Commerce Order API and make customer pay?

I would like to make an API call to Big Commerce backend to complete a purchase on a customer's behalf. Based on the API reference:
https://developer.bigcommerce.com/api/stores/v2/orders#create-an-order
By default, I believe that one can only create an order that not yet paid by the customer. Please correct me if I am wrong.
So, my question is - How do you make a payment on behalf of a customer for the order? It is safe to assume that we have a tokenized credit card of our known customer in a payment gateway like Stripe.
My guess of how it could be done is when an order is created, I can set up a webhook to call the payment gateway to make a charge on the customer's credit card. Is this correct? Are there anything that I should watch out for?
Currently, you cannot use the BigCommerce API to process a payment or full transaction. We only allow payments through the control panel where you can enter credit card details or on the storefront made by the customer. If you'd like to make use of tokenization or recurring payments, it is better to use Rebillia or Recharge (apps).
As you stated, you would need to make a call to Stripe's API to charge the card on file with the customer's token. This should be fine. It won't make any calls back to BigCommerce, so I'd be mindful of error handling (such as if the card has expired) and how you'd retry or mark the order in BigCommerce. Depending on how it was configured, you would want to check order details to ensure you were only processing payments from API created orders.
I'm not sure of what PCI implications might be for the storage of the Stripe tokens. That would be another point for consideration.

Which PayPal API and product shall be used for card payments with auth and capture

How shall I integrate custom shopping cart app with PayPal to accept indirect credit card payments without forcing buyers to register at PayPal?
There's a custom shopping cart web application and the task has been set to replace current credit/dept card payment with PayPal. The goal is to let the customers pay with their cards via PayPal. However, there are some constrains:
customers should enter their credit cards details (number, expiry date, secure code) not in shopping cart's page, but PayPal's page,
every payment must consists of authorization (blocking total sum) and subsequent capture if the ordered items are available and can be delivered,
customers aren't forced to create / login to PayPal account if they wish to pay via card.
The trouble is I'm really confused with the number of possible options at PayPal. The choice between REST API and Classic API isn't that problematic, but choosing the proper product from the whole list (like Classic API products or REST API products) isn't that obvious for PayPal newbie. Some other similar questions point to DoDirectPayment (but I don't know if it's the best choice) or suggest Website Payments Standard (I'm not sure if they're still available).
I was also considering Express Checkout, but the demo seems to force to create PayPal account.
ExpressCheckout is designed to be used in concert with a direct credit card acceptance method (such as PayPal's DoDirectPayment, or a non-PayPal credit card acceptance method), although it can be configured to also do guest payments. This is why the demos of the normal configuration handle only PayPal account creation; that's the normal usage.
One key question you need to ask yourself is whether you want to have access to the credit card information & be the "merchant of record" yourself or not.
YES: Doing this gives you the most flexibility, but will require you to go through some merchant vetting and carries some security obligations (PCI) even if you are using some solution which tries to distance you from the actual raw card numbers (e.g. collecting them via PayPal or Braintree code and immediatly encrypting & tokenizing them). In short: if you want full access to the card, then you have legal obligations re: handling that account access which technology can reduce but not eliminate.
NO: If you are content to always treat your customer's card information at arms length through PayPal, via the legal structure of a PayPal account (whether the user actually has a PayPal account or is just doing a "guest" payment on PayPal where they give PayPal their credit card for one-time use) then you can reduce your vetting & security constraints (no PCI requirements at all).
If you want (or need) access to the customer's card [YES above] then the "classic" API solutions are either DoDirectPayment (for when you collect the card info) or Hosted Sole Solution (for when PayPal collects the card info on their page). HSS meets all 3 of your requiremens above; DDP fails requirement #1.
If you can live with access to the customer & the payment but NOT the card account itself [NO above] then you can use Website Payments Standard, or EC with Guest Checkout option; both meet all three of your requirements.
All of the above solutions are not only still supported, but have tens or hundreds of thousands of integrated merchants and are the biggest/mainstream ways in which PayPal payments are handled.
If you prefer the newer products & are in the first category above (real card access, not guest payments) then you can also use Braintree or the RESTful APIs. These newer products don't yet have as much flexibility & coverage as the older products, but hey, less complexity can be a good thing as long as they have what you need. These products are generally designed around plugins for your web pages rather than entering card information on PayPal's site, however, so they don't meet your first requirement.
You can also do PayFlow (several variants) or Adaptive Payments or or or.... but in general I would advise picking either the most well-established or the new-and-growing options as being better supported & more future-proof.
Now that PayPal has acquired Braintree, the preferred integration method is v.zero. It is designed to be very easy to accept PayPal, Credit Cards and other options. (Venmo, Bitcoin, etc.)

What are the options to implement a Groupon like system?

I like to build a system that will allow users to "commit buy" a deal, but will only be charged after a minimum # of committers are reached. The time span in which the "deal" will continue can be either weekly or monthly.
I like to stay away from building one from the ground up as much as possible.
I know there's another thread on StackOverflow that asked paypal, amazon, or google checkout API to serve this purpose, but this seems too much like a hack?
I did some reading on using a gateway like Authorize.net to process credit card information and they can store the user information and has a service like pay-as-you-go. Would using their API be a better choice? Can their pay-as-you-go method provide the system that I'm looking for?
I did some reading on using a gateway like Authorize.net to process
credit card information and they can store the user information and
has a service like pay-as-you-go. Would using their API be a better
choice?
I have used Authorize.net for recurring payments and it is easy to implement if you are fluent in working with a web service (regardless of language). You can integrate with them without the user needing to leave your website and without storing the user's credit card information.
However, you will be receiving the user's credit card number to implement such a model, and there are still precautions to be taken (versus redirecting to a secure third party site to receive the number).
Refine your question to be more specific to receive more specific answers.