bwurtz999-pci | Stripe Developers | Page 1

fluid lintel Sep 29, 2022, 1:54 PM

#

I'll start by saying that I'm not a PCI Qualified Security Assessor, and that you and/or your client should hire a professional to understand what your obligations are if in doubt

#

that being said, you're both right

#

(I'm assuming from context that you're processing payments for their business / on their behalf, not processing your own payments while just happening to use their network to do it)

silk flame Sep 29, 2022, 1:56 PM

#

Yeah it's a POS system for cafeterias

#

So technically we're processing payments on behalf of the food service provider

#

The food service provider is hired by the client

fluid lintel Sep 29, 2022, 1:57 PM

#

anybody that processes credit card payments must be PCI compliant - however, there are multiple levels of PCI compliance, depending on exactly what you're doing, and the level of effort involved varies enormously depending on how much you're handling the card data

silk flame Sep 29, 2022, 1:57 PM

#

But does simply providing internet constitute 'processing credit card payments'?

#

Isn't the upside of using Stripe that I don't have to worry about PCI compliance? Because card info never hits my server?

fluid lintel Sep 29, 2022, 1:58 PM

#

oh, I see what you're driving at - the food service provider is the merchant of record, not the client

#

then yes, in my layperson opinion, they have no PCI compliance obligation

#

the benefit of stripe is that if you're using the recommended integration path, you qualify for one of the less intrusive PCI compliance levels, and being compliant is straightforward

#

there's a guide on this here https://stripe.com/docs/security/guide

Integration security guide

Ensure PCI compliance and secure customer-server communications.

silk flame Sep 29, 2022, 2:00 PM

#

That's what I figured, but I guess I'll need something more official than a screenshot of a discord chat haha. Does Stripe have some sort of official document/opinion about who needs to be PCI compliant with a proper integration?

#

i.e.: something that tells me the entity providing the internet doesn't need to be PCI compliant?

fluid lintel Sep 29, 2022, 2:01 PM

#

I don't think anybody would have thought to write out that negative statement

silk flame Sep 29, 2022, 2:02 PM

#

haha yeah...

fluid lintel Sep 29, 2022, 2:05 PM

#

I guess my advice on how to argue this with them would be something like "point me to the part of the DSS which says that you're in scope"

#

hopefully they either concede the point, or at least you now have a more concrete subject to debate

silk flame Sep 29, 2022, 2:06 PM

#

Yeah that could work. Or they might just say 'here's what we think and you have to prove us wrong'

#

I think a lot of the pushback is that IT departments don't want additional devices on their network

#

So they hide behind PCI compliance

fluid lintel Sep 29, 2022, 2:07 PM

#

heh fair enough

silk flame Sep 29, 2022, 2:07 PM

#

yeah it's frustrating... because then we end up having to use mobile hotspots, which are unreliable

fluid lintel Sep 29, 2022, 2:07 PM

#

if that's the case, arguing about PCI may be a bit moot, if that's not their real reason for pushing back on this

silk flame Sep 29, 2022, 2:08 PM

#

That's an assumption on my part

#

But potentially

#

It was the reason I was given on a call yesterday, so I'm investigating

#

It === PCI compliance

fluid lintel Sep 29, 2022, 2:09 PM

#

maybe coming at this from a different direction - PCI is not a regulatory thing

#

in most jurisdictions, there's no law on the books that says "in x situation, you must be PCI compliant", or anything to that effect

#

it's that being PCI compliant is a condition of the agreement that one would sign with a payments processor, as part of being able to use that processor's services (including, for example, Stripe's terms)

silk flame Sep 29, 2022, 2:11 PM

#

Interesting

fluid lintel Sep 29, 2022, 2:11 PM

#

so

#

you could also try asking them something to the effect of "PCI is a contractual commitment - to whom have you contractually committed to being PCI compliant?"

silk flame Sep 29, 2022, 2:12 PM

#

That could work

fluid lintel Sep 29, 2022, 2:12 PM

#

again, all of this may be moot if PCI is just a convenient excuse for keeping your devices off their network

#

but you could give it a shot

silk flame Sep 29, 2022, 2:13 PM

#

Yeah I could try it. So for my own context, I have entered into a contractual commitment with Stripe to be PCI compliant because I use Stripe to process payments. Is that correct?

#

Or is that with my customers (the food service provider I'm processing payments for)

fluid lintel Sep 29, 2022, 2:15 PM

#

with Stripe; see https://stripe.com/legal/ssa

Stripe Services Agreement - United States

#

it's in the payments section, under "9. PCI Standards Compliance."

#

I'll take this opportunity to further disclaim that I am not a lawyer, and this is not legal advice

silk flame Sep 29, 2022, 2:16 PM

#

Yes thank you

#

It's just really nice to talk with someone who knows more about this than I do

#

This has been very helpful. Thank you!

#bwurtz999-pci