Hi all.

Just completed a WorldPay thing in full knowledge that when a client pays, they would not have to leave my website.

Now, imagine my frustration that a week worth of waiting, and about a month worth of not opening to the public, when I find out that I have to screw around to get PCI Compliant and that the Business Gateway Plus is just a HTML redirect method, and that the client actually DOES leave my website.

So, in short, I need to know how to become PCI Compliant so I can do the "worldpay invisible method".

Has anyone got experience with this "invisible" method - where it sends payment data to RBSWorldPay in XML, rather than a HTML Redirect method.

Bearing in mind that I have WHMCS and will be using this.

So second, how hard is it to become PCI Compliant?
Does it cost?

PCICouncil website is rather hard to navigate so I was wondering if anyone knew an Australian PCI Compliance service that I could make use of, seeing as the business is based in Australia, and I am Australian, so on so forth.

Thanks in advance for the help.

...how hard is it to become PCI Compliant?
Does it cost?Whole threads on this site and entire blogs are dedicated to these two questions. The short answer, it is very costly to do this from scratch if your site is processing, storing or transmitting cardholder data.

My recommendation is to use a solution that offloads at least the cardholder data portion of the transaction and this will required a redirect of some sort to qualify you for PCI SAQ-A. This redirect can be transparent to most users and I think that is what you are asking. To do this you will probably need to find a solution that incorporates tokenization technology. This will give you the control you are seeking by using an "invisible method" and, if the right technology is used and done right, should qualify you for PCI SAQ-A.

If you want an example of a tokenization solution in action on a real ecommerce site, go to http://www.fanie.com and go through the checkout process (just don't click the "place order" button on the final order confirmation screen unless you want to place the order). This qualifies for PCI SAQ-A, is transparent (well mostly, it could be made more transparent), and the actual transaction processing is using an "invisible method" after the final order confirmation.

Hope this helps.

Would this solution be acceptable? It lets the payment gateway accept the shoppers card data through a pop-up or iframe. I think it's less invasive than a redirect.

http://www.paymentseal.com (info)

http://teststore.storeadmin.com (demo)

The thing is, PCI Compliance requires full understanding of the Rules and Obligations on your part, which PCI argue you are not likely to have using thirdparty billing systems, unless if software is PCI verified ofcourse..

The other thing, is the term Payment Gateway and Payment Processor. If your using a Payment Gateway, you have to accredited with PCI compliance on the basis that your likely storing card information. If your using a Payment Processor, your initially acting as a conduit for the card information and but Payment Processor stores the details for you, and you'd just repeat a payment authorisation. You'd still likely have to meet a specific criteria from the Payment Provider, but it would be less invasive compared to PCI compliance..

If you have an internet murchant account with your Bank, I'd recommend using SagePay (formally Protx) as your Payment Provider. Otherwise use PayPal Pro. Both give you the options of Form and Direct based payment processing, only difference is cost per transaction..

Apparently all WorldPay want is a vulnerability scan and they will handle everything else.
Seeing as I wont be storing card details - both rules from Worldpay not to - and ethical rules. It seems it will be relatively easy.

I consider this topic now closed.

Thanks everyone for your help.

In reference to Sagepay - I do not reside in the UK.
Payment seal - I will look into it further, it seems a viable alternative should my PCI DSS thingo get rejected.

Thanking all once again.