The PCI (Payment Card Industry) is the international standards and compliance body for credit card data management and security. PCI publish and maintain a set of standards, PCI DSS, and require that any site dealing with or handling credit card payments conform to the appropriate portion of the standard. The measures required, and the proof of compliance required, vary according to the degree of risk that a given site is deemed to pose.
Compliance with PCI standards will be important for PaperCut customers wishing to use credit card payment gateways for user print credit top-ups.
The PCI standards assign different levels of risk to different categories, and for each category there is a document describing compliance requirements.
PaperCut supports a number of payment gateways, but it is important to understand that the PaperCut server itself never processes or stores credit card data.
All of the credit card gateways that we support offer an integration architecture that uses URL redirect to direct the userís browser to the payment gateway website when a user wishes to top up their account.
This means that correctly deployed implementations of the PaperCut integration will come under the PCI DSS category SAQ A for compliance purposes.
Please note that although PCI DSS v3 (enforced as of March 2015) introduces a new category, SAQ A-EP, for some kinds of payment gateway interaction, the PCI have confirmed that this does not apply to gateway integrations such as those implemented in PaperCut, which continue to be covered by SAQ A.
Compliance requirements for SAQ A are documented in downloadable PDFs available from the PCI security standards website. The correct document as of time of writing is SAQ A v3.0.
In most cases, a self-assessment describing the site components and basic security measures taken (e.g. virus protection) will suffice to meet PCI compliance requirements. However, PaperCut recommend that any customer wishing to use credit cards for top ups works with their payment gateway provider, makes themselves familiar with the relevant PCI standards, and if necessary engages a qualified PCI compliance advisor conversant with the latest standards and well-versed in systems architecture.
Our support staff can if necessary offer assistance in understanding how the payment gateway integrations operate.
Keywords: security policy, security management, pci, dss, credit card, payment gateway