Jump to content



Photo
- - - - -

New regulations for manually processing credit card information.


This topic has been archived. This means that you cannot reply to this topic.
19 replies to this topic

#1   toyicebear

toyicebear
  • Community Sponsor
  • 6,409 posts

Posted 21 August 2007 - 05:38

The Payment Card Industry Data Security Standard (PCI DSS) applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data.

If you are one of the above, PCI Compliance is not a request, or suggestion, it is now a requirement.

However, according to the PCI DSS documentation, "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply."

By the end of 2007, any organization that accepts payment card transactions must be in compliance with the standards.

Credit card companies and acquirer banks can levy stiff fines and remove the merchant's ability to process credit card transactions until the merchant is PCI compliant.


Details on the requirement can be found at PCI Security Standards Council

#2   toyicebear

toyicebear
  • Community Sponsor
  • 6,409 posts

Posted 18 January 2008 - 03:00

This Pci Compliance Guide web site provides info on how to make your web shop PCI compliant.

Edited by toyicebear, 18 January 2008 - 03:02.


#3   toyicebear

toyicebear
  • Community Sponsor
  • 6,409 posts

Posted 20 March 2008 - 07:24

If you are PCI compliant you are alowed to store the following info:

- Account Number
- Cardholder Name
- Expiration Date
- Service Code

The following info you are NOT alowed to store even if you are PCI compliant.

- Magnetic Strip
- CVV/CVV2
- Pin Data

Edited by toyicebear, 20 March 2008 - 07:25.


#4   toyicebear

toyicebear
  • Community Sponsor
  • 6,409 posts

Posted 21 March 2008 - 07:02

What Happens If My Business Does Not Become PCI Compliant?

PCI Compliance is a requirement of your contract with the credit card companies. If you do not make your business PCI compliant, you are in violation of your contract. The credit card companies can take the following actions if your business does not abide by the security standards.
  • Visa may charge your business up to $500,000 per incident if your network and the information of consumers is compromised.
  • You may be banned from allowing your customers to use credit cards issued by the company that finds your business non-compliant.
  • If you do not notify the companies of probable or actual violations or thefts of our customers’ information, you will also be fined. Again, Visa can charge you as much as $100,000 per incident.
  • Other fines may be charged if the credit card company feels that the your company’s violations pose a risk to the credit card company and/or its members.

Edited by toyicebear, 21 March 2008 - 07:03.


#5   opensourceguy

opensourceguy
  • Members
  • 3 posts

Posted 26 March 2008 - 18:35

I did some work for a business that wasn't fully PCI compliant but since showing them this thread has got their act together.

* Visa may charge your business up to $500,000 per incident if your network and the information of consumers is compromised.
* You may be banned from allowing your customers to use credit cards issued by the company that finds your business non-compliant.
* If you do not notify the companies of probable or actual violations or thefts of our customers’ information, you will also be fined. Again, Visa can charge you as much as $100,000 per incident.
* Other fines may be charged if the credit card company feels that the your company’s violations pose a risk to the credit card company and/or its members.


definitely some hefty fines!

#6   toyicebear

toyicebear
  • Community Sponsor
  • 6,409 posts

Posted 30 March 2008 - 13:34

For those who wish to be compliant and also wish to have the highest security (Both for users and also to protect you the shop owner from fines etc) the use of an online payment gateway to process your payment is your best bet.

Your business bank or your merchant account provider should be able to point you in direction of a suitible provider for your needs.

It also might be a good idea to shop around some, there are many payment gateway re-sellers who gives great start-up offers.

As a starting point, here are just some of the payment gateway solutions available.

US

Authorize.net
PayPal PayFlow Pro
LinkPoint
Trust Commerce

EU

Protx
MetaCharge
SecPay
ChronoPay

Scandinavia

Dibs

Asia Pacific

Paymentexpress / DPS PxPost

International solutions

WorldPay
PayPal
2Checkout


This is just a short list to get you started, there are ofcourse alot more international and local country payment gateway providers out there and some banks even have their own payment gateway solutions like for instance HSBC.

Edited by toyicebear, 30 March 2008 - 13:38.


#7   WoodsWalker

WoodsWalker
  • Members
  • 389 posts

Posted 14 April 2008 - 04:24

Pretty serious stuff! Thanks for the info.

Funny, we have been processing credit cards for over 8 years (through the acquirer Moneris) and this is the first I have ever heard of "PCI", even though we process up to $80,000 in transactions per year.

It has always been our practise to take card info over the phone (we're a mail-order business), store it in a password-protected PC that is NEVER connected to the internet (we use this one PC for all customer data storage and invoicing), and submit the sales info to Moneris via an IVR touch-tone phone system. I guess this is low-tech enough to be pretty secure.

As I described in another post, we are installing osCommerce, but due to our low volume, we intend for now simply to harvest the credit card info from the secure area on the server (and then delete it from there), and process with our usual procedure. We're not using the invoice or packing slip features of osC either, as we have our own set up on our PC. So the osC storefront on our website is just another means for our customers to order from us, 24/7.

Still, even the most responsible person can endanger the security of customer information if proper procedures are not worked out in advance. I was working on our database one day, and making backups onto a USB flash drive, the size of a pink rubber eraser. I could easily have gone out of the office with it in my pocket. The fact that this could so easily happen, in anyone's business, made me aware that one must always have safe procedures in place for handling such valuable data. As merchants, we should aim to be as careful as the most "paranoid" of our customers.

Edited by WoodsWalker, 14 April 2008 - 04:26.


#8   WoodsWalker

WoodsWalker
  • Members
  • 389 posts

Posted 14 April 2008 - 04:49

OK, I've done a bit more reading of related posts. I have gathered that since our site is hosted on a shared server, and since the data will "sit" on it for a little while before we delete it, this set-up would not be PCI-compliant.

My version of osC includes the Credit Card module feature that emails the merchant a section of the CC#, while the other section is stored on the server. I guess this would be closer to compliant, anyway.

But close only counts in horseshoes... /unsure.gif' class='bbc_emoticon' alt=':unsure:' />

Edited by WoodsWalker, 14 April 2008 - 04:50.


#9   insaini

insaini
  • Members
  • 208 posts

Posted 14 April 2008 - 10:33

OK, I've done a bit more reading of related posts. I have gathered that since our site is hosted on a shared server, and since the data will "sit" on it for a little while before we delete it, this set-up would not be PCI-compliant.

My version of osC includes the Credit Card module feature that emails the merchant a section of the CC#, while the other section is stored on the server. I guess this would be closer to compliant, anyway.

But close only counts in horseshoes... /unsure.gif' class='bbc_emoticon' alt=':unsure:' />


Im not sure how you are intending to use Moneris eSelect Plus. I am currently using this on my website.. however I have removed all CC fields from my database and do not store any CC information. Moneris hasnt asked me for a PCI certificate but in my case.. I wouldnt need it since I don't store that information if they ever asked. I suppose that unless you are doing recurring billing.. there is no need to store CC information (unless you want to give your customers a way for quick purchasing) with osC and so many people in the world looking to exploit the software.. I wouldnt store it.. and even with recurring billing.. this can be entered into the Moneris website manually

#10   WoodsWalker

WoodsWalker
  • Members
  • 389 posts

Posted 14 April 2008 - 14:17

I don't think we use eSelect Plus (not familiar with the name). We used to fill out paper sales draft slips and take them to the bank. When Moneris phased out paper, they offered us the IVR procedure to use with our touch-tone phone. The customer provides us their information via phone or fax, and we then phone it in to Moneris's automated IVR system, and the money lands in our bank acct. the next day.

With this set-up, from what I understand, PCI compliance only applies to the PC (not connected to the internet) that we store the info on. Yes, we have the option of not storing this info, but as it's on a password-protected non-networked PC, I think from what I've read that our procedure would be PCI compliant. Even Moneris expects us to store this sales info - when there is any mix-up, even months-old, they want all the details of the transaction including the customer's CC#. How could such things ever be straightened out if we had no record of the information we had input to their system?

Now that we wish to collect sales info over the internet, PCI compliance issues affect our host's server as well, which is likely NOT PCI-compliant. I wonder if it is sufficient that we use the part of the osC Credit Card module that splits up the CC#, sending a section of it immediately to the merchant via email, and only storing the remaining 8 digits? Does the whole CC# ever reside on the host's server, even for an instant? Anyone know?

Edited by WoodsWalker, 14 April 2008 - 14:18.


#11   insaini

insaini
  • Members
  • 208 posts

Posted 14 April 2008 - 17:06

I don't think we use eSelect Plus (not familiar with the name). We used to fill out paper sales draft slips and take them to the bank. When Moneris phased out paper, they offered us the IVR procedure to use with our touch-tone phone. The customer provides us their information via phone or fax, and we then phone it in to Moneris's automated IVR system, and the money lands in our bank acct. the next day.

With this set-up, from what I understand, PCI compliance only applies to the PC (not connected to the internet) that we store the info on. Yes, we have the option of not storing this info, but as it's on a password-protected non-networked PC, I think from what I've read that our procedure would be PCI compliant. Even Moneris expects us to store this sales info - when there is any mix-up, even months-old, they want all the details of the transaction including the customer's CC#. How could such things ever be straightened out if we had no record of the information we had input to their system?

Now that we wish to collect sales info over the internet, PCI compliance issues affect our host's server as well, which is likely NOT PCI-compliant. I wonder if it is sufficient that we use the part of the osC Credit Card module that splits up the CC#, sending a section of it immediately to the merchant via email, and only storing the remaining 8 digits? Does the whole CC# ever reside on the host's server, even for an instant? Anyone know?


eSelect Plus is Moneris' Online Transaction Service..

The CC information should only reside in the users session memory space.. when the user clicks 'confirm' the CC information is POSTed via SSL to Moneris Servers. Moneris then returns with some information to osCommerce which then destroys the session variables associated with the CC information whether approved or not. CC information should not be stored anywhere by your host at anytime.

As for maintaining CC information.. I dont maintain it.. and the Moneris eSelect Plus integration guide doesnt say to maintain it either. The transaction itself has a Moneris ID associated with it.. incase you need to look it up.. I save all Moneris Transaction emails (transactions not face to face) and all Receipts (signed, when face to face of course) .. im pretty sure thats all thats necessary..

#12   WoodsWalker

WoodsWalker
  • Members
  • 389 posts

Posted 14 April 2008 - 18:46

Great information, Jesse! Thanks!

#13   WoodsWalker

WoodsWalker
  • Members
  • 389 posts

Posted 03 May 2008 - 02:10

UPDATE

My website now has a PCI certificate of compliance from Trustwave (Trustkeeper).

For anyone interested in the steps involved, I posted them here, in a thread I started about PCI compliance.

#14   mriksman

mriksman
  • Members
  • 12 posts

Posted 08 May 2008 - 01:16

Just remember;

CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data and applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Compliance with CISP means compliance with the PCI Data Security Standard with the required program validation.


Even if you don't store the data, if you transmit the information to you acquirer, you must be PCI compliant.

However, if you don't store CC information, you may fall under the SAQ Validation Type 1-4, which requires a less stringent self-assessment to be performed. A low volume business (level 4) may also only need to complete an annual vulnerability scan. Level 4 business requirements for PCI compliance seems to be governed by the merchants acquirer - so contact your bank provider for information on what is required of you. According to VISA, there is no set date for a Level 4 business to obtain compliance.

#15   henrik525

henrik525
  • Members
  • 4 posts

Posted 08 January 2011 - 20:15

what if we have a dedicated IP Address and SSL Certificate - is that sufficient enough to accept payment through paypal on my website? That is what we have been doing currently..

Henrik

#16   toyicebear

toyicebear
  • Community Sponsor
  • 6,409 posts

Posted 08 January 2011 - 23:36

what if we have a dedicated IP Address and SSL Certificate - is that sufficient enough to accept payment through paypal on my website? That is what we have been doing currently..

Henrik


Depends on which PayPal method you use.

If you use PayPal Pro, then no its not enough...you will need to go through the PCI process.

If you use any of the other PayPal methods then you are in the clear. (Standard/IPN/Express)

Edited by toyicebear, 08 January 2011 - 23:36.


#17   mcbsolutions

mcbsolutions
  • Members
  • 179 posts

Posted 16 June 2011 - 20:26

Hi,
Question, I'm working on a site that uses the authorize.net gateway. However the card is still being stored in the mysql db. Is there a workaround to prevent this from happening? Thanks!

Steve

#18   toyicebear

toyicebear
  • Community Sponsor
  • 6,409 posts

Posted 17 June 2011 - 00:00

Hi,
Question, I'm working on a site that uses the authorize.net gateway. However the card is still being stored in the mysql db. Is there a workaround to prevent this from happening? Thanks!

Steve


Change to one of the other authorize.net modules which do not store the cc info ( look here )...or modify the one you have to not do so...

#19   cannuck1964

cannuck1964

    Contract Coder

  • Partner
  • 1,139 posts

Posted 30 June 2011 - 11:53

Change to one of the other authorize.net modules which do not store the cc info ( look here )...or modify the one you have to not do so...


Don't forget to run a credit card clearing script to delete all of the information related to the credit card storage on the database.

I have been fixing site after site that have been hacked due to poor set up etc.

Heck one site even had all of the credit card information emailed to a gmail account, with no idea how long that was happening.

It is pretty scary actually how little protection most sites have in place to protect customers credit card data.

cheers
Peter McGrath
-----------------------------

See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation

#20   amritsehgal

amritsehgal
  • Members
  • 6 posts

Posted 03 January 2012 - 13:53

This thread is really helpful to me and my knowledge. I am sure, it will be also helpful to other people.