Question Any experts of PCI DSS with indepth knowledge of do's and don'ts ?

[Jocus]

Scenario:

1) Company with PCI DSS certificate hook up to for example 5 different PSPs.
2) Company has an activate base of clients with recurring subscriptions, and has its own recurring subs platform taking care of renewals, cancellations etc.
3) If, for any reason, a payment for a subscription fail with PSP 1, can Company then try the same payment, same customer (same data, same card etc), with PSP 2 (if fail, then PSP 3 etc.) ? Is is both technically possible, and above all, legal ?

 

[Sols]

If you ever handle card details in your own server environment, you need to undergo PCI-DSS audit to become fully compliant or risk massive fines. This is a big investment, at minimum costing tens of thousands (for a very lean operation) but for most companies hundreds of thousands.

The answer to your third question is that it's legal, and quite normal.