.NET Core Blazor PCI compliance

Question

I am not too sure about PCI compliance, but what I believe is that it can be summed up to "don't let the credit card data hit your server". So any post request would basically mean that the data ends up at least in the severs RAM.

But what about Websockets? .NET Core Blazor, the current version at least, is using websockets to update and keep a connection with the server open. If I have a form with a credit card input on it, that is using a third party JS library to send and manipulate the credit card data (tokenize it and such), is there a chance for it to hit the server?

I don't actually have any idea what is happening in the background with Blazor, as in, not sure what data is exactly getting sent there, so can it be that Blazor could cause an app to not meet PCI compliance because of this?

I think my question could have been worded better, here let me rephrase it:

My main question was more along the linea of CAN we achieve PCI compliance with server side blazor without having to deal with PCI compliance for the server. Any way to tell blazor to not send sensitive data via websockets? Since as far as I am aware all the client-server communication is happening in the background, any way to control that? Or would using server-side mean I have to secure my server to be PCI compliant.

Answer 1

PCI compliance is a whole suite of things you must do. Credit card data can certainly be used and sent to your server. The idea of keeping it off the server is one of reducing your compliance, ie the less you touch the credit card data, the less PCI compliance steps you must take. If you were to use something like a hosted payments platform, where a user is literally redirected to another third-party to collect and process the credit card information, then you would have no PCI compliance, because you're never touching or seeing credit card data.

However, if you take it client-side, but never send it server-side, that doesn't then mean that you don't have to worry about PCI compliance. Your PCI compliance burden is less , but not absent. Further the method of sending it server-side doesn't matter. Websockets still count. So, if you want to completely keep it off the server, you must use the client-side Blazor hosting model, ie Webassembly. Even then, you'd have to take care to never send it off to anything you control. In other words, an API you built is still server-side . You'd only be able to send it directly to your payment processor (Stripe, Authorize.Net, etc.).