A client has enquired about connecting thier management platform (which we constructed) to thier payment handler to automatically handle transactions.
At current no sensitive information is stored in terms of bank/card details - but this will now be required. From a security perspective I have worked on several projects whilst in a different employ and have no problems with the technical aspects.
However, as this is my first project by my own company with these requirements I am not 100% sure on the legal/bureaucratic requirements, and just want to clarify them before taking the project on.
Proposed technical setup (key points, not complete):
- Management system runs on Internal server on clients network. The network has access to the internet.
- Network accesses the internet through hardware firewall.
- Server has additional software firewall.
- Management platform runs as a web application on the server, staff access via a browser on thier terminals (internally, never over the internet). Log-in is required. Users only see minimum necessary detail. Payment details especially limited.
- Card & Senstive details encrypted. Encryption key not stored on server drives.
My key questions:
1. Does the PCI DSS even apply here ? - The wording is vauge and card details are not collected over the internet. However, they will be transmitted via the internet to the payment handler.
2. All the requirements for PCI compliance are actually met. The client will count as a level 4 merchant - If so I presume they will need to do the self assessment questionare and have regular 'security scans' by a third party ? (Again, wording is vauge)
3. Aside from the PCI DSS are there any other mandatory compliance schemes I should be aware of ? (i.e PA-DSS ?)
Thanks in advance. Technical suggestions are always welcome but really i'm trying to get my head round a pile of badly written and vaugue, ambiguous documents which don't clearly lay out my legal obligations.
