WHMCS credit card storage - PCI level/Gateways

**Twobit** · 09-09-11, 09:19 AM

Good Day All,

There seems to be a number of sites explaining the PCI requirements. If WHMCS stores the clients credit card for recurring payments, does this force us into Level 1? if so, would this apply for the offline payment module?

We are looking at using WHMCS for licensing software and will require recurring payments. Our software will be under $20 pm and average at 10 clients. Is this a level 4 PCI?

We are based in Australia and have limited options, even the PayPal Website Payments Pro is not available. Of all the gateway options we have explored, most require a merchant account and the gateway. And they dont provide a token api so we still store credit card details.

Does anyone have some suggestions for a low cost gateway with a token api for WHMCS that works for Australian companies? Also, what PCI level are you on if you store credit cards?

Regards
Twobit

**laszlof** · 09-09-11, 12:21 PM

We use Authorize.net. Not sure if thats available in Australia or not, but it's worked well for us.

**Twobit** · 09-09-11, 12:55 PM

Originally Posted by laszlof

We use Authorize.net. Not sure if thats available in Australia or not, but it's worked well for us.

Hi Frank,

Thank you for your reply. We have spoken to authorize.net, but they only accept US based customers. Most of the AU gateways are over priced for our needs.

We are happy to do manual payments for our small customer base, but that requires PCI Certification. We have never undertaken this task before. If storing data in whmcs for offline processing only requires level 4 with SAQ D, we will go that route using a virtual POS.

Does anyone have some tips for PCI requirements?

Regards
Twobit

**ninak** · 09-09-11, 06:30 PM

Go to https://www.pcisecuritystandards.org/
It will answer many or your questions.

**Twobit** · 09-10-11, 12:10 AM

Good Day ninak,

Thamk you for the link. We are using that site for the documentation etc. Based on their guidelines, we should be a level 4 SAQ D - under 20k but store data. However when we run the self evaluation wizards on PCI scan vendors websites - as soon as we save save details its a level 1. Is that correct?

Regards Twobit

**ninak** · 09-10-11, 01:19 PM

Your best solution is to contact the security council with your specific questions. They would be the ones to give you any real information.

**Twobit** · 09-11-11, 01:30 AM

Good Day ninak,

Thanks we are working with a few PCI Compliance vendors here in Australia.

As we touch CC data (stored in WHMCS), we will have to be SAQ D.

Regards
Twobit

**lukewd** · 08-14-12, 09:06 AM

Hi Twobit,

We are in the exact same situation as yourself. Small business with low processing requirements. However we also want to store the CC details so we can automate the billing. Figuring out which PCI level we fall into is very confusing.

Did you ever get to the bottom of it? Are you guys Level 4, and just needed to do SAQ D?

Or like you mentioned previously, because you store the CC details, does that push you straight into Level 1?

Community Forums

Thread: WHMCS credit card storage - PCI level/Gateways

Thread Tools

WHMCS credit card storage - PCI level/Gateways

Similar Threads

Question about Credit Card hash storage

credit card storage