Are you trying to understand if your server has to be PCI compliant?
Are you reading some docs around and the more you read, the more you are confused?
Here’s some very simple and short tips for PCI compliance, according to Braintree and SecurityMetrics sources (you should check with your payment gateway / Qualified Security Assessor).
This post is a very simple answer to the question: “Can I accept payments without redirecting to an external website with my NON-PCI compliant server(s)?”
If you have to:
- insert a new credit card during the checkout process,
- store the payment details in the Braintree (payment gateway) Vault for later use
and your payment gateway gives you the chance to integrate an iframe or a solution similar to the Braintree Drop-In where the code is injected from the payment gateway servers, you can run your website on a NON-PCI compliant server.
This does not mean that you can ignore the PCI compliance at all.
So, what you should do? You should qualify for the SAQ A. In fact:
The card associations (VISA, MasterCard, Discover and American Express) have mandated that anyone accepting credit cards must become PCI compliant. We do require merchants to go through a Qualifies Security Assessor to help verify that your payments platform is compliant with rules established by the Card Associations.
You’re still required to complete an annual SAQ in order to be PCI compliant.
Please note that this is true if and only if the payment details are inserted only by the customer.
If the customer communicates these details to someone of your organisation, then this will increase your scope of compliance.