SagePay's Direct Integration Or CyberSource's SOAP API Method!! Should I be PCI complaint?

Question

I am currently integrating payment gateway to our merchant page. We are expecting about 100000 to 0.5mil transactions per month on our website. We have SSL certificate on our payment pages. Both SagePay and CyberSource equivalent for maximum payment page customisation are Direct and SOAP API, which let me host the payment pages on my server collect payment informations.

My only worry is I post these payment information to my server before sending it to respective payment gateways. I am not storing it in session or in DB. And all our post URLS are SSL certified.

According to PCI Compliance, If I transmit the payment data from my server I should take PCI audit every year and a security assessor will carry a remote test and a in house test.

Obviously, this is going to be expensive.

Do I need a PCI compliance if I follow the SagePay Direct integration or CyberSource SOAP API documentations?

Sorry to be a pest. I am aware that this question exist through out this community. But I can't see a convincing answer to my particular integration method.

It would be amazing to receive answers from specialist payment security advisers.

Kind Regards,

Answer 1

It doesn;t matter if you are using Sagepay or Cybersource - if credit card numbers are touching your servers at all, you are under PCI-DSS compliance. It does not matter if you are not storing them in a database or session. If your servers see a credit card number and/or CVV code for even a millisecnd, you are under PCI-DSS compliance. Your integration method does not matter at all, what matters is that your servers are handling credit card numbers.

Answer 2

Maybe you would like to check Secure Acceptance Silent Order Post from CyberSource:

http://www.cybersource.com/developers/develop/integration_methods/secure_acceptance/