I am integrating payment gateway provide by CCAvenue india. I heard about PCI compliance and other certifications.
My question is there any certification or any thing that we as a developer need to do. Current implementation is as follows.
Web application is https
Payment gateway URL is also https
We only log the order id not card details in any conditon.
And as a developer do we need to ask any certification or complience to the payment gateway team.
PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
So, if your web application is accepting credit card details from a customer, and then retransmitting them to your payment gateway, then you are subject to the PCI DSS and must fill out a Self Assessment Questionnaire (SAQ) or be audited (depending on volume). It does not matter if you are not logging the card details; if they are transmitted via your server then you are in scope. Even if your web page merely has an iframe so that your customers can enter their data directly into the payment gateway, you're still in scope.
There are different SAQs depending on how much you deal with card data. The simplest is SAQ-A (used for the iframe solution mentioned above) or SAQ-A-EP for other types of redirection. If the card data flows through your server you're looking at SAQ-D. Here's a good link describing the nuances of what setups lead to which SAQs.
