Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 576
  • Last Modified:

PCI compliance requirements ???

Are shopping carts allowed to store credit cards so when the customer returns
to the store the cards will be on file?
I'm have been looking for a shopping cart package and noticed that they do not
keep the customers credit card info and require the customer to enter it again.
A lot of webstore (amazon) keep your credit card info there when you return.
I like this feature. Is this illegal now with the "PCI compliance requirements" ? thanks

0
MikeMCSD
Asked:
MikeMCSD
3 Solutions
 
Frosty555Commented:
I do know that facebook.com keeps credit cards on file... so maybe it's okay?
0
 
gwkgCommented:
You can store the credit card number in a database, but you have to meet PCI standards.

http://www.internetretailer.com/internet/marketing-conference/628898015-retailers-dilemma-store-or-not-store-customer-credit-card-dat.html
One option to retailers is to store credit card data in hardened facilities outside of their own network. CyberSource, for instance provides a Secure Storage application that stores a merchants payment transaction and account data and a Hosted Payment Acceptance application that hosts a merchants payment page within its online shopping cart process.


http://www.pcicomplianceguide.org/aboutpcicompliance.html
0
 
pigmentartsCommented:
You are NOT allowed to store credit details in a database, unless you are audited and meet 'Payment Card Industry Data Security Standards'! It can be very expensive! You have to show that you can protect the credit card details in accordance with payment card industry best practices. You will also have to sit exams and prove you meet high standards for data protection laws. You will need to provide a credit/data control person for you company to site yearly exams.

Most small to medium Internet business use 3rd parties to process the payment on their site (such as Protx VSP Direct in the UK) to get around these laws. This does not mean you cannot take card details on your site and process the order, it just means you can not store them! If you destroy the card number after the order (or just store the last few digits) and never store them you are ok. (ever wondered why an invoice shows your card like xxx xxx xxx 321)

If you want to take subscriptions on your site then use a 3rd party or just make the customer renew when their subscription runs out. I myself find this much better because cards expire anyway and I find I have to change them often on such sites.

hope this answers your question.

:)
0
Eye-catchers on the conference table

Challenge: The i-unit group was not satisfied with the audio quality during remote meetings. They were looking for a portable solution with excellent audio quality for use in their conference room but also at their client’s offices.

 
MikeMCSDAuthor Commented:
thanks for the excellent advice.
0
 
c_mcculloughCommented:
Slight disagreement with the answer.  Auditing and "exams" are not necessary.  Section 6.5 of the DSS states that developers may conduct code reviews as long as those developers are aware of common vulnerabilities.  Clearly encryption of database data is a requirement, but also facility security, network security, etc is also requried.  Send the developers to a quality training class such as this one:
c_mccullough

Please stop posting the link to your website in questions at EE.
You may put the link in your Member Profile - not in questions.
http://www.experts-exchange.com/help.jsp#hi22

Vee_Mod
Experts Exchange Moderator

There are many things that must be done to comply, but most of them are things you should be doing anyway to protect your site and systems.
0
 
pigmentartsCommented:
what are you talking about only level 3+ merchants can do thier own review!
if you want to do you own review at level 1-2 as you are stating the developer or someone with the company has to pass at level 1 of the Qualified Security Assessor (QSA) exam for PCI compliance on data security. i know, i have taken the exam myself.

this must be passed, you can not do your own review without passing!

even after passing this the company then has to pass a audit one a year by the person who passed the QSA at meet the following:

 http://216.239.59.104/search?q=cache:Oft-JorVRK4J:https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf+PCI+standards+audit&hl=en&ct=clnk&cd=2

read here to understand:
http://www.braintreepaymentsolutions.com/blog/qualified-security-assessors-qsas-for-pci-dss-compliance/

0

Featured Post

Eye-catchers on the conference table

Challenge: The i-unit group was not satisfied with the audio quality during remote meetings. They were looking for a portable solution with excellent audio quality for use in their conference room but also at their client’s offices.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now