Page 1 of 1
How to handle CC data to avoid becoming PCI-compliant?
Posted: Mon May 22, 2017 12:52 pm
by anorman728
We're using Plum primarily because it's PCI-compliant and we want to avoid touching CC data ourselves, so that we don't need to be PCI-compliant. We're working with a third-party payment system that is also PCI-compliant.
We should be able to have our Fuse+ application communicate with the third-party payment system using a REST module, but I just want to make sure that we're in the clear as far as avoiding PCI-compliance goes.
We have some direct communication with our server, but nothing that transfers credit card data. That module goes directly to the third-party payment system. Is that enough to avoid having to be PCI-compliant ourselves, since both Plum and the third-party system is PCI-compliant?
Re: How to handle CC data to avoid becoming PCI-compliant?
Posted: Tue May 23, 2017 11:13 am
by support
You should contact support to get your IP addresses whitelisted. In this case, we would need your third-party payment system's IPs too.
Then, after you provision a number in Fuse, you will need to reach out to provisioning to have your numbers converted to PCI compliant.
However, the first step is to contact support with your IP addresses.
Re: How to handle CC data to avoid becoming PCI-compliant?
Posted: Tue May 23, 2017 12:53 pm
by anorman728
Thanks! I relayed this back to my team and we have a few follow-up questions:
1) When we provision a new phone number, do we own it and can we move it outside of Plum later?
2) If we have hundreds of phone numbers, do we have to update the IP whitelist for each phone number every time our IPs change?
- Example: We add a new server with a new IP. Do we have to email Plum with a list of 500 phone numbers and our IP addresses?
3) What does the whitelisting actually do?
Re: How to handle CC data to avoid becoming PCI-compliant?
Posted: Wed May 24, 2017 12:21 pm
by support
To answer your questions in order:
1. When you purchase a number through Plum you become the owner. The number remains under our resporg and our carriers while you are utilizing it with our platform, but you are free to port the number to another carrier.
2. Your phone numbers are not configured for particular IP addresses, instead they are pointed to our PCI environment. It is the firewalls within the PCI environment that need to be updated for any new IPs. If your IPs change you would need to send an email to
support@plumgroup.com with the new information, and we would update our firewall whitelist to allow traffic from the new IP.
3. Whitelisting allows limited traffic in and out of our PCI environment. Only IPs that are whitelisted in our firewalls can make requests to the PCI environment, which limits access and helps to keep it secure.
We hope this information helps, please let us know if you have any other questions.