Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PCI compliance requirements  ???

Posted on 2008-06-19
7
Medium Priority
?
567 Views
Last Modified: 2013-12-14
Are shopping carts allowed to store credit cards so when the customer returns
to the store the cards will be on file?
I'm have been looking for a shopping cart package and noticed that they do not
keep the customers credit card info and require the customer to enter it again.
A lot of webstore (amazon) keep your credit card info there when you return.
I like this feature. Is this illegal now with the "PCI compliance requirements" ? thanks

0
Comment
Question by:MikeMCSD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 31

Assisted Solution

by:Frosty555
Frosty555 earned 200 total points
ID: 21826178
I do know that facebook.com keeps credit cards on file... so maybe it's okay?
0
 
LVL 31

Assisted Solution

by:gwkg
gwkg earned 800 total points
ID: 21827043
You can store the credit card number in a database, but you have to meet PCI standards.

http://www.internetretailer.com/internet/marketing-conference/628898015-retailers-dilemma-store-or-not-store-customer-credit-card-dat.html
One option to retailers is to store credit card data in hardened facilities outside of their own network. CyberSource, for instance provides a Secure Storage application that stores a merchants payment transaction and account data and a Hosted Payment Acceptance application that hosts a merchants payment page within its online shopping cart process.


http://www.pcicomplianceguide.org/aboutpcicompliance.html
0
 
LVL 12

Accepted Solution

by:
pigmentarts earned 1000 total points
ID: 21835246
You are NOT allowed to store credit details in a database, unless you are audited and meet 'Payment Card Industry Data Security Standards'! It can be very expensive! You have to show that you can protect the credit card details in accordance with payment card industry best practices. You will also have to sit exams and prove you meet high standards for data protection laws. You will need to provide a credit/data control person for you company to site yearly exams.

Most small to medium Internet business use 3rd parties to process the payment on their site (such as Protx VSP Direct in the UK) to get around these laws. This does not mean you cannot take card details on your site and process the order, it just means you can not store them! If you destroy the card number after the order (or just store the last few digits) and never store them you are ok. (ever wondered why an invoice shows your card like xxx xxx xxx 321)

If you want to take subscriptions on your site then use a 3rd party or just make the customer renew when their subscription runs out. I myself find this much better because cards expire anyway and I find I have to change them often on such sites.

hope this answers your question.

:)
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 16

Author Comment

by:MikeMCSD
ID: 21878265
thanks for the excellent advice.
0
 
LVL 1

Expert Comment

by:c_mccullough
ID: 21948762
Slight disagreement with the answer.  Auditing and "exams" are not necessary.  Section 6.5 of the DSS states that developers may conduct code reviews as long as those developers are aware of common vulnerabilities.  Clearly encryption of database data is a requirement, but also facility security, network security, etc is also requried.  Send the developers to a quality training class such as this one:
c_mccullough

Please stop posting the link to your website in questions at EE.
You may put the link in your Member Profile - not in questions.
http://www.experts-exchange.com/help.jsp#hi22

Vee_Mod
Experts Exchange Moderator

There are many things that must be done to comply, but most of them are things you should be doing anyway to protect your site and systems.
0
 
LVL 12

Expert Comment

by:pigmentarts
ID: 21951846
what are you talking about only level 3+ merchants can do thier own review!
if you want to do you own review at level 1-2 as you are stating the developer or someone with the company has to pass at level 1 of the Qualified Security Assessor (QSA) exam for PCI compliance on data security. i know, i have taken the exam myself.

this must be passed, you can not do your own review without passing!

even after passing this the company then has to pass a audit one a year by the person who passed the QSA at meet the following:

 http://216.239.59.104/search?q=cache:Oft-JorVRK4J:https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf+PCI+standards+audit&hl=en&ct=clnk&cd=2

read here to understand:
http://www.braintreepaymentsolutions.com/blog/qualified-security-assessors-qsas-for-pci-dss-compliance/

0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Choosing a core focus or particular set of features and options can be tough. To help out, we’re going to highlight a handful of things your business needs on one of your social media pages. In other words, if one of these is missing, you should imp…
Whoever said that “a picture is worth one thousand words” observed a fact that can dramatically affect your marketing success. Most people tend to learn visually, so many publishers commonly acknowledge the effectiveness of visual learning by using…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question