Solved

PCI compliance requirements  ???

Posted on 2008-06-19
7
495 Views
Last Modified: 2013-12-14
Are shopping carts allowed to store credit cards so when the customer returns
to the store the cards will be on file?
I'm have been looking for a shopping cart package and noticed that they do not
keep the customers credit card info and require the customer to enter it again.
A lot of webstore (amazon) keep your credit card info there when you return.
I like this feature. Is this illegal now with the "PCI compliance requirements" ? thanks

0
Comment
Question by:MikeMCSD
7 Comments
 
LVL 31

Assisted Solution

by:Frosty555
Frosty555 earned 50 total points
Comment Utility
I do know that facebook.com keeps credit cards on file... so maybe it's okay?
0
 
LVL 31

Assisted Solution

by:gwkg
gwkg earned 200 total points
Comment Utility
You can store the credit card number in a database, but you have to meet PCI standards.

http://www.internetretailer.com/internet/marketing-conference/628898015-retailers-dilemma-store-or-not-store-customer-credit-card-dat.html
One option to retailers is to store credit card data in hardened facilities outside of their own network. CyberSource, for instance provides a Secure Storage application that stores a merchants payment transaction and account data and a Hosted Payment Acceptance application that hosts a merchants payment page within its online shopping cart process.


http://www.pcicomplianceguide.org/aboutpcicompliance.html
0
 
LVL 12

Accepted Solution

by:
pigmentarts earned 250 total points
Comment Utility
You are NOT allowed to store credit details in a database, unless you are audited and meet 'Payment Card Industry Data Security Standards'! It can be very expensive! You have to show that you can protect the credit card details in accordance with payment card industry best practices. You will also have to sit exams and prove you meet high standards for data protection laws. You will need to provide a credit/data control person for you company to site yearly exams.

Most small to medium Internet business use 3rd parties to process the payment on their site (such as Protx VSP Direct in the UK) to get around these laws. This does not mean you cannot take card details on your site and process the order, it just means you can not store them! If you destroy the card number after the order (or just store the last few digits) and never store them you are ok. (ever wondered why an invoice shows your card like xxx xxx xxx 321)

If you want to take subscriptions on your site then use a 3rd party or just make the customer renew when their subscription runs out. I myself find this much better because cards expire anyway and I find I have to change them often on such sites.

hope this answers your question.

:)
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Author Comment

by:MikeMCSD
Comment Utility
thanks for the excellent advice.
0
 
LVL 1

Expert Comment

by:c_mccullough
Comment Utility
Slight disagreement with the answer.  Auditing and "exams" are not necessary.  Section 6.5 of the DSS states that developers may conduct code reviews as long as those developers are aware of common vulnerabilities.  Clearly encryption of database data is a requirement, but also facility security, network security, etc is also requried.  Send the developers to a quality training class such as this one:
c_mccullough

Please stop posting the link to your website in questions at EE.
You may put the link in your Member Profile - not in questions.
http://www.experts-exchange.com/help.jsp#hi22

Vee_Mod
Experts Exchange Moderator

There are many things that must be done to comply, but most of them are things you should be doing anyway to protect your site and systems.
0
 
LVL 12

Expert Comment

by:pigmentarts
Comment Utility
what are you talking about only level 3+ merchants can do thier own review!
if you want to do you own review at level 1-2 as you are stating the developer or someone with the company has to pass at level 1 of the Qualified Security Assessor (QSA) exam for PCI compliance on data security. i know, i have taken the exam myself.

this must be passed, you can not do your own review without passing!

even after passing this the company then has to pass a audit one a year by the person who passed the QSA at meet the following:

 http://216.239.59.104/search?q=cache:Oft-JorVRK4J:https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf+PCI+standards+audit&hl=en&ct=clnk&cd=2

read here to understand:
http://www.braintreepaymentsolutions.com/blog/qualified-security-assessors-qsas-for-pci-dss-compliance/

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now