Can I ask for a continuation of this topic because clearly it is one of significant importance. Firstly I have been confused by Chris comments as stefsurges is asking about the Authorize.net plugin and your documentation clearly states:
<<Start of copied text>>
About The Credit Card Field
The Authorize.Net enables the Credit Card Field in Gravity Forms. This field appears in the Pricing Fields toolbox of the Form Editor. This is a new field type that makes it easy to capture credit card information. It includes integrated card type detection so the user does not have to pick which type of card he is using and it also has built in validation to validate that the card format is correct.
This field does not actually store the Credit Card data. It is available as part of the initial form submission strictly as part of integration with the Authorize.Net Add-On and other payment gateway add-ons. This data will not be stored as part of the form entry and is not retained by your site, server, or database.
If you Preview or view your form on a page that is not secure, it will be obvious, both to you and your users if you do not properly secure the page. If the page is unsecured the Credit Card Field will be highlighted with a red warning. This warning will not be displayed if the page displaying the form is loaded via https with a valid SSL certificate.
<<end of copied text>>
Certainly if this is not the case (or even if it is) I would suggest to the gravity team put up a disclaimer somewhere to a) protect themselves, b) help their customers to avoid making easy mistakes that could cost them a significant penalty.
Also just not storing/transmitting card data is not enough to be PCI DSS compliant - this is something you should make customers aware of.
If you are storing/transmitting any of the cardholder data you need to be careful.
A potential disclaimer:
Unless you really know what you're doing don't attempt to use the Authorize.net plugin
You may be liable for any fraudulent use of your customers payment information due to lack of security on your server/data storage & transmission processes.
PCI DSS compliance is complicated, there are several possible levels of adherence that depend on the way you integrate with your payment gateway/merchant services:
A range of self assesment forms can be downloaded at:
SAQ C - the easiest adherence to gain for online payments: relevant section of the PCI Security website is: SAQ C - https://www.pcisecuritystandards.org/documents/pci_dss_SAQ_Instr_Guide_v2.1.pdf and
Key points that any Merchant must follow to be compliant:
Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);
The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);
Your company store is not connected to other store locations, and any LAN is for a single store only;
Your company retains only paper reports or paper copies of receipts
Your company does not store cardholder data in electronic format; and
Your company’s payment application software vendor uses secure techniques to provide remote support to your payment application system.
Posted 9 years ago on Tuesday December 18, 2012 | Permalink