PCI DSS free Gateway Plugins

-- Joomla version -- : n/a
-- PHP version -- : n/a
-- Browser(s) name and version -- : n/a
-- Error-message(debug-mod must be tuned on) -- : n/a

I am wondering if there is any discussion (couldn't find any), re the use of payment plugins that don't require PCI DSS compliance on the host server. I was just looking at the MIGS plugin, but there is no indication on the product page as to whether it may or may not be.

On researching the options, I think the simple way to avoid PCI DSS requirements (on your hosting environment) is to use Direct Post as the post method; so that even whilst a form for cc details may be generated on your own hosted site, the action of that form submits the details directly to the payment gateway concerned, with then a 'callback' from the gateway to your own site with a paid/notpaid result.

Most of the plugins I have looked at, do not do this, but instead post the form (including cc data) into the hikashop scripts (thus then requiring your hosting to meet PCI DSS compliance - ie very expensive hosting.)

As coding wise, it can be straightforward to use direct post, I am not sure why very few payment plugins use this action? I see that 'stripe' uses an iframe popup on one example i saw (in a wordpress shopping cart) - with the iframe being generated by the stripe site - so it may be that those guys have thought about how most shared hosting in the world does not meet PCI DSS security requirements.

I would ask the hikashop devs to consider a clear indication on each of the payment plugins to indicate whether the end user should insist on PCI DSS hosting to use the particular plugin or not (sorry if I have missed this, and it already exists)

Thanks
Ian

nicolas wrote: Hi,

As you can see, for 4 of them, there is an alternative solution with the same payment gateway (another API which doesn't collect the credit card during the checkout).