How to Deploy a PCI-compatible Application on Heroku
Last updated 09 September 2015
Table of Contents
This document explains the options available for deploying a PCI-compliant application on Heroku. Because Heroku itself is not PCI-certified, applications should be designed to fully-outsource payment processing. There are a few technical considerations to be aware of that affect compliance, however.
What is driving this?
Previously, merchants using 3rd-party payment providers (3PPs) could self-assess their environment using the SAQ-A form (regardless of whether the processing was done on the client-side or server-side.) The SAQ-A is a short, easy document — about a dozen questions, easily completed within a day.
With PCI 3.0, there’s a new form, SAQ A-EP, which is for e-commerce merchants who outsource their transaction-processing functions to PCI DSS certified third-party service providers (called partially-outsourced, or server-side implementations.) SAQ A-EP applies when the merchant website controls how the cardholder data is redirected to the third-party service provider.
Guidance for customers
In order to meet PCI requirements on Heroku, the payment processing should be fully outsourced (i.e. client-side implementation) by a 3rd party.
Here are some options for implementing or switching to a compliant solution.
Stripe addresses the new requirements and explains how to avoid the SAQ A-EP here.
Here is a detailed tutorial on how to convert POST method (non-compliant) to .js (compliant).
Another simpler option, which doesn’t require coding, is to use Checkout.
A third option is to employ one of Stripe’s PCI-validated vendors.
Spreedly employs an iframe solution.
This tutorial explains how to deploy an in-app checkout page using Stripe.js to create subscriptions in ChargeBee and store and process payments on Stripe. Stripe.js makes it easy to use any form page as a checkout page, and also reduces your PCI DSS scope. It does this by taking care of all the sensitive card information for you.
Background: requirements for small businesses
What does a small-to-medium sized business (Level 4 merchant, < 20,000 transactions/year) have to do in order to satisfy the PCI DSS v3.0 requirements?
To satisfy the requirements of PCI, a merchant must determine which Self Assessment Questionnaire (SAQ) should be used to validate compliance. There are two types:
SAQ-A: This is for merchants with fully-hosted payment processing; all card functions are outsourced. stripe.js, braintree.js, stripe checkout, are all designed so that payment data doesn’t hit the backend, which means they’re covered by the much simpler SAQ-A.
SAQ A-EP: This is a new SAQ to address requirements applicable to e-commerce merchants with a websites that do not themselves receive cardholder data, but which do affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data.
The two examples of this are:
- Shopping cart or payment page direct post: during payment, the checkout/payment page directly posts payment information from the merchant site to the 3PP, but the page resides on the merchant site.
Technical background: how Stripe 3rd-party processing works