I\'m currently attempting to wrap my head around PCI compliance - and what I nee

Question

I'm currently attempting to wrap my head around PCI compliance - and what I need to do for my business to be compliant. I would like some confirmation on what I've found so far.

I accept payments in a mobile application. We take payment details and pass them to our own REST service (over HTTPS), and then that service instantly passes them on to a third-party payment gateway to handle the payment. We get confirmation, and the app gets that confirmation. At no point do we store the payment details. My business accepts just over 20,000 payments a year.

So, would I be correct in saying that:

- An SAQ-D needs to be completed.
- Every quarter I need to get some form of network scan from an ASV?

I would also like to know if there are any other steps necessary to be PCI compliant?

Also - if I use the PayPal mobile SDK, what (if any) additional steps would I need to take to become PCI compliant?

Explanation / Answer

If you're sure you never store the payment details, not even in things like swap files or core dumps, then I think SAQ-C will be sufficient. I think it's almost certain that you'll need to change some of your processes to complete the SAQ successfully; you won't just be able to fill it in and say that you're done.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.