How to ensure PCI Compliant for HTML and Ajax request

Question

I am integrating eWay payment gateway in PHP with recurring payment. It is for Australia region. I have prepared the below HTML form:

<form action="submit.php" method="post" id="signup-form" class="creditly-card-form agileinfo_form">
    <div class="signup-form credit-wrapper">
        <div class="control full-flex">
            <div class="form-control first">
                <input type="email" name="email" id="email" placeholder="Email Address"/>
            </div>
            <div class="form-control last">
                <input type="text" name="username" id="username" placeholder="Username"/>
            </div>
        </div>

            <div class="control full">
            <div class="form-control">
                <input type="text" name="cardholder_name" id="cardholder_name" placeholder="Name On Card" class="billing-address-name form-control"/>
            </div>
        </div>
        <div class="control full">
            <div class="form-control">
                <div class="card-type"></div>
                <input type="text" name="cardnumber" id="cardnumber" pattern="(\d*\s){3}\d*" class="credit-card-number form-control" autocomplete="cc-number" autocompletetype="cc-number" x-autocompletetype="cc-number" />
            </div>
        </div>
        <div class="control full-flex">
            <div class="form-control first">
                <input type="text" class="security-code form-control" name="cardcvv" id="cardcvv" inputmode="numeric" pattern="\d*" placeholder="CVV" />
            </div>
            <div class="form-control last">
                <input type="text" name="expiredate" id="expiredate" placeholder="MM / YY" class="expiration-month-and-year form-control"/>
            </div>
        </div>
        <div class="control full">
            <input type="submit" class="submitbtn credit-wrapper-submit" value="Submit"/>
            <!--<button class="submitbtn credit-wrapper-submit" type="submit"><span>Submit</span></button>-->
        </div>
    </div>
</form>

I use jQuery to submit the form on submit button click, please see:

$("#signup-form").submit(function(e){
    e.preventDefault();
    var formData = $(this).serialize();
    showLoader();
    $.ajax({
        url: "php/submit-signup.php",
        method: "POST",
        dataType: "json",
        data: {
            formdata: formData
        },
        success: function(data) {
            hideLoader();
            if (data.status) {
                showsweetSuccessPopup(data.message);
            } else {
                showsweetErrorPopup(data.message);
                return false;
            }
        }
    });
});

On server side, I am using below code. I am not saving card details on my db, it is used for third party api calling only: $formData = array(); parse_str($_POST['formdata'], $formData);

if (isset($formData['username'])) {
    $client = \Eway\Rapid::createClient($this->apiKey, $this->apiPassword, $this->apiEndpoint);

    $customer = [
        'Email' => $formData['email'],
        'CardDetails' => [
            'Name' => $formData['cardholder_name'],
            'Number' => $formData['cardnumber'],
            'ExpiryMonth' => $formData['expiryMonth'],
            'ExpiryYear' => $formData['expiryYear'],
            'CVN' => $formData['cardcvv'],
        ]
    ];

    $apiResult = $client->createCustomer(\Eway\Rapid\Enum\ApiMethod::DIRECT, $customer);

    //further code
}

is it PCI complaint form or should I do anything else for it? I have done followings things of it already

1. I am not saving credit card details in my DB. It is only used to call eWay api and return token to me which use to save in DB.
2. SSL is integrated.
3. Hosting provider ensured the Hardware and Software complaisance.

Please help and suggest!

Answer 1

On server side, I am using below code. I am not saving card details on my db, it is used for third party api calling only:

There's a decent summary of the whole process and a flowchart for determining what solution is applicable to you here . Unfortunately for you, if the credit card number touches your server in a readable form (ie not encrypted), then you will need to deal with SAQ-D, even if you aren't saving it anywhere . Here is a link to SAQ-D... all 329 questions you will need to be able to say that you have examined and determined you comply with, starting with building and maintaining a secure network. You can mark sections as not applicable (for example, because it covers card number storage and you aren't storing anything), but a lot of it is still going to be relevant.

That's probably a lot more than you're willing to take on, though.

The alternatives, which most ecommerce merchants aim for, are to qualify for SAQ-A or SAQ-A-EP (22 and 191 questions, respectively), or to encrypt the cardholder data in the users browser before it goes anywhere, using a method that you are unable to reverse.

You should reach out to your payment processor to see what their recommended solutions for an ecommerce integration are. According to this API guide (which may or may not be the one you're using), they provide a "Pay now" button, a transparent redirect, and several options for embedding their controls on your page so that the data never reaches you.

For their "Direct Connection" API, which it looks like you're using, they explicitly say:

Since card data is passed via the server, one of the following must be used to ensure compliance with card data regulations:

• Provide proof to eWAY of PCI-DSS compliance of the merchant's environment
• Use Client Side Encryption to encrypt the card data on the customer's browser
• Use Secure Fields to collect the card data, then use SecuredCardData to complete the transaction