Improve company productivity with a Business Account.Sign Up

x
?
Solved

PCI compliance requirements  ???

Posted on 2008-06-19
7
Medium Priority
?
578 Views
Last Modified: 2013-12-14
Are shopping carts allowed to store credit cards so when the customer returns
to the store the cards will be on file?
I'm have been looking for a shopping cart package and noticed that they do not
keep the customers credit card info and require the customer to enter it again.
A lot of webstore (amazon) keep your credit card info there when you return.
I like this feature. Is this illegal now with the "PCI compliance requirements" ? thanks

0
Comment
Question by:MikeMCSD
6 Comments
 
LVL 31

Assisted Solution

by:Frosty555
Frosty555 earned 200 total points
ID: 21826178
I do know that facebook.com keeps credit cards on file... so maybe it's okay?
0
 
LVL 31

Assisted Solution

by:gwkg
gwkg earned 800 total points
ID: 21827043
You can store the credit card number in a database, but you have to meet PCI standards.

http://www.internetretailer.com/internet/marketing-conference/628898015-retailers-dilemma-store-or-not-store-customer-credit-card-dat.html
One option to retailers is to store credit card data in hardened facilities outside of their own network. CyberSource, for instance provides a Secure Storage application that stores a merchants payment transaction and account data and a Hosted Payment Acceptance application that hosts a merchants payment page within its online shopping cart process.


http://www.pcicomplianceguide.org/aboutpcicompliance.html
0
 
LVL 12

Accepted Solution

by:
pigmentarts earned 1000 total points
ID: 21835246
You are NOT allowed to store credit details in a database, unless you are audited and meet 'Payment Card Industry Data Security Standards'! It can be very expensive! You have to show that you can protect the credit card details in accordance with payment card industry best practices. You will also have to sit exams and prove you meet high standards for data protection laws. You will need to provide a credit/data control person for you company to site yearly exams.

Most small to medium Internet business use 3rd parties to process the payment on their site (such as Protx VSP Direct in the UK) to get around these laws. This does not mean you cannot take card details on your site and process the order, it just means you can not store them! If you destroy the card number after the order (or just store the last few digits) and never store them you are ok. (ever wondered why an invoice shows your card like xxx xxx xxx 321)

If you want to take subscriptions on your site then use a 3rd party or just make the customer renew when their subscription runs out. I myself find this much better because cards expire anyway and I find I have to change them often on such sites.

hope this answers your question.

:)
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
LVL 16

Author Comment

by:MikeMCSD
ID: 21878265
thanks for the excellent advice.
0
 
LVL 1

Expert Comment

by:c_mccullough
ID: 21948762
Slight disagreement with the answer.  Auditing and "exams" are not necessary.  Section 6.5 of the DSS states that developers may conduct code reviews as long as those developers are aware of common vulnerabilities.  Clearly encryption of database data is a requirement, but also facility security, network security, etc is also requried.  Send the developers to a quality training class such as this one:
c_mccullough

Please stop posting the link to your website in questions at EE.
You may put the link in your Member Profile - not in questions.
http://www.experts-exchange.com/help.jsp#hi22

Vee_Mod
Experts Exchange Moderator

There are many things that must be done to comply, but most of them are things you should be doing anyway to protect your site and systems.
0
 
LVL 12

Expert Comment

by:pigmentarts
ID: 21951846
what are you talking about only level 3+ merchants can do thier own review!
if you want to do you own review at level 1-2 as you are stating the developer or someone with the company has to pass at level 1 of the Qualified Security Assessor (QSA) exam for PCI compliance on data security. i know, i have taken the exam myself.

this must be passed, you can not do your own review without passing!

even after passing this the company then has to pass a audit one a year by the person who passed the QSA at meet the following:

 http://216.239.59.104/search?q=cache:Oft-JorVRK4J:https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf+PCI+standards+audit&hl=en&ct=clnk&cd=2

read here to understand:
http://www.braintreepaymentsolutions.com/blog/qualified-security-assessors-qsas-for-pci-dss-compliance/

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Facebook Marketing Tips and how to increase your business page likes.
It’s time to blend tried-and-true features with innovative new elements for your upcoming eCommerce website
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question