Forum OpenACS Q&A: Re: Payment Vaults
Don't forget that true PCIDSS compliance isn't just the software on the server but also the network on which your server sits. Any other machines on that network and all the people that have access to them. Its a right royal pain in the arse.
If its any use to you, we use Verifone's Vanguard solution http://www.verifone.co.uk/. It mitigates the PCIDSS requirement by bypassing your server to obtain tokens to represent the EFT transaction.
Normally, card details are submitted to your server, forwarded to Verfione to obtain a token, and then discarded.
The Vanguard solution short-circuits this by sending card details directly from the user's browser to Verifone, using an embedded form to obtain a token, so that your server only ever receives tokens and never sensitive card details.
Therefore you can safely declare that you don't handle cards and don't need to be compliant.