My company is outsourcing the development of our new e-commerce site to a third party web development company. The way they set up our site to handle transactions is by having the user enter the necessary payment info, then passing that data to a third party merchant that processes the payment, then completing the transaction if everything is good.
When the issue of PCI/DSS compliance was raised, they said:
You wont need PCI certification
because the clients browser will send
the sensitive information directly to
the third party merchant when the
transaction is processed.
However, the process will be
transparent to the user because all
interface and displays are controlled
by us.
The only server required to be
compliant is the third party
merchant's because no
sensitive card data ever
touches your server or web app.
Even though I very much so trust and respect the knowledge of our web developers, what they are saying is raising some serious red flags for me.
The way the site is described, I am sure we will not be using a hosted payment page like PayPal or Google Checkout offers (how could we maintain control over UI if we were?) And while my knowledge of e-commerce is laughable at best, it seems like the only other option for us would be to use XML direct to communicate with our third party merchant for processing.
My two questions are as follows:
Based off everything you've read, is "XML Direct" the only option they could conceivably be using, or is there another method I don't know of which they could be implementing?
Most importantly, is it true our site does not need PCI certification? As I understand it, using the XML direct method means that we do have to be PCI/DSS certified, and the only way around getting certified is through a payment hosted page (i.e. PayPal).