How to process credit cards without PCI DSS on backend

0
votes

I have a JS front-end that communicates with the back-end via REST API and I need to process credit cards. I do not want to get into the full PCI DSS compliance stuff and I don't need to since I am using 3rd party provider(Stripe, Braintree..) that provide tokenization.

But the issue I have is that I do not want the JS front-end to handle the tokenization of the CC details but I want the front-end to send the CC data to the back-end and the back-end will then use the payment gateway API to tokenize the CC data and store it instead of the real CC data.

Since the CC data enters the back-end is is considered processing of the CC data(not storage) which means I have to handle PCI compliance in a way.

So I am wondering if there is some easy way to avoid doing some over-complicated code/infrastructure changes in order to be compliant?

1
e-commercestripe-paymentsbraintreepayment-processingpci-dss
Please do not vandalize your posts by removing the question and putting in jibberish. If you do not want to be associated with this question you need to reach out to the Stack Overflow team and let them know. They can do this for you.John Conde

1 Answers

2
votes

If you don't want to have to qualify for SAQ C/D then you cannot send your customer's PAN to your server, period. It has to go to your payment gateway first, and then you can take whatever payload they give you and send it to your server.

Since I am more familiar with their services, I can describe the two ways Braintree handles this:

1) Drop-in UI - With this method, you'll create a div on your payment page and add a little javascript in your frontend code that converts the node into a payment form. Once they fill out the payment form, the information will sent directly to Braintree, and they will return a payment nonce to you that you can safely send to your server without any PCI concerns.

2) Hosted Fields - The options to style the Drop-in UI are a bit limited, so if you need the ability to add custom fields that you have full control to style and place on your page as you want, then you are looking for hosted fields. It basically creates a series of iframes on your page that you can style like regular HTML inputs, and then when your customer fills them out and clicks "submit," the data is once again submitted to Braintree first, and you get a payment nonce back that you can send to your backend API and do whatever you'd like.

Just to make sure I've been clear though - there is currently no way to send plaintext credit card information to your server without having to fulfill the more rigorous PCI SAQ levels.