MIDAS Knowledge Base

Is MIDAS PCI compliant?

A MIDAS booking system allows your clients to pay for their bookings and invoices online.

Our software natively integrates with both PayPal and Stripe for processing such payments.

PayPal and Stripe are 3rd party payment processors, as such payments themselves are not directly handled by MIDAS.

In terms of payments through PayPal, the client is transferred to a secure PayPal hosted payment page in order to complete their transaction. Sensitive payment details (such as the client's full card number) are not transmitted back to, or stored by, MIDAS. If you have correctly configured PayPal integration, MIDAS will simply log the client's name, email address, and unique PayPal Transaction ID. The specific method of payment, card number, expiration date, and security code are not stored in MIDAS. Please refer to PayPal's documentation for details of their own PCI compliance.

In terms of payments through Stripe, the client makes their payment on a secure MIDAS generated page. Payment card details entered on these pages are transmitted over a secure connection directly from the client's browser to Stripe's servers. The information does not pass through our servers. Following completion of the payment, sensitive payment details (such as the client's full card number) are not transmitted back to, or stored by, MIDAS. MIDAS will simply log the client's name and email address. The specific method of payment, card number, expiration date, and security code are not stored in MIDAS. Please refer to Stripe's documentation for details of their own PCI compliance.

Therefore, when used as intended, a MIDAS system does not store or process sensitive cardholder data, and so does not bring such data into PCI scope.

Important Notes:

MIDAS is not meant for storing sensitive payment details, and no native booking, client, or invoice fields are available for such storage. However, if a MIDAS user decides to manually input sensitive payment details into user-editable fields within MIDAS (for instance, in a custom booking field, or the client notes field, on an invoice, etc), there are risks associated with this, and the user will then bring cardholder data into the PCI scope of their MIDAS system. For this reason, as a MIDAS user or administrator you should NEVER store sensitive payment details within your MIDAS system.
If you are utilizing the optional MIDAS API to integrate MIDAS with an alternative 3rd party card processor or payment provider, it is your responsibility to ensure proper PCI compliance.