Solved

PCI compliance requirements  ???

Posted on 2008-06-19
7
540 Views
Last Modified: 2013-12-14
Are shopping carts allowed to store credit cards so when the customer returns
to the store the cards will be on file?
I'm have been looking for a shopping cart package and noticed that they do not
keep the customers credit card info and require the customer to enter it again.
A lot of webstore (amazon) keep your credit card info there when you return.
I like this feature. Is this illegal now with the "PCI compliance requirements" ? thanks

0
Comment
Question by:MikeMCSD
7 Comments
 
LVL 31

Assisted Solution

by:Frosty555
Frosty555 earned 50 total points
ID: 21826178
I do know that facebook.com keeps credit cards on file... so maybe it's okay?
0
 
LVL 31

Assisted Solution

by:gwkg
gwkg earned 200 total points
ID: 21827043
You can store the credit card number in a database, but you have to meet PCI standards.

http://www.internetretailer.com/internet/marketing-conference/628898015-retailers-dilemma-store-or-not-store-customer-credit-card-dat.html
One option to retailers is to store credit card data in hardened facilities outside of their own network. CyberSource, for instance provides a Secure Storage application that stores a merchants payment transaction and account data and a Hosted Payment Acceptance application that hosts a merchants payment page within its online shopping cart process.


http://www.pcicomplianceguide.org/aboutpcicompliance.html
0
 
LVL 12

Accepted Solution

by:
pigmentarts earned 250 total points
ID: 21835246
You are NOT allowed to store credit details in a database, unless you are audited and meet 'Payment Card Industry Data Security Standards'! It can be very expensive! You have to show that you can protect the credit card details in accordance with payment card industry best practices. You will also have to sit exams and prove you meet high standards for data protection laws. You will need to provide a credit/data control person for you company to site yearly exams.

Most small to medium Internet business use 3rd parties to process the payment on their site (such as Protx VSP Direct in the UK) to get around these laws. This does not mean you cannot take card details on your site and process the order, it just means you can not store them! If you destroy the card number after the order (or just store the last few digits) and never store them you are ok. (ever wondered why an invoice shows your card like xxx xxx xxx 321)

If you want to take subscriptions on your site then use a 3rd party or just make the customer renew when their subscription runs out. I myself find this much better because cards expire anyway and I find I have to change them often on such sites.

hope this answers your question.

:)
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 16

Author Comment

by:MikeMCSD
ID: 21878265
thanks for the excellent advice.
0
 
LVL 1

Expert Comment

by:c_mccullough
ID: 21948762
Slight disagreement with the answer.  Auditing and "exams" are not necessary.  Section 6.5 of the DSS states that developers may conduct code reviews as long as those developers are aware of common vulnerabilities.  Clearly encryption of database data is a requirement, but also facility security, network security, etc is also requried.  Send the developers to a quality training class such as this one:
c_mccullough

Please stop posting the link to your website in questions at EE.
You may put the link in your Member Profile - not in questions.
http://www.experts-exchange.com/help.jsp#hi22

Vee_Mod
Experts Exchange Moderator

There are many things that must be done to comply, but most of them are things you should be doing anyway to protect your site and systems.
0
 
LVL 12

Expert Comment

by:pigmentarts
ID: 21951846
what are you talking about only level 3+ merchants can do thier own review!
if you want to do you own review at level 1-2 as you are stating the developer or someone with the company has to pass at level 1 of the Qualified Security Assessor (QSA) exam for PCI compliance on data security. i know, i have taken the exam myself.

this must be passed, you can not do your own review without passing!

even after passing this the company then has to pass a audit one a year by the person who passed the QSA at meet the following:

 http://216.239.59.104/search?q=cache:Oft-JorVRK4J:https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf+PCI+standards+audit&hl=en&ct=clnk&cd=2

read here to understand:
http://www.braintreepaymentsolutions.com/blog/qualified-security-assessors-qsas-for-pci-dss-compliance/

0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
A great marketing strategy is diverse.  Read about the not so popular, yet effective, marketing tactics you can start using today!
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question