5 replies to this topic

[packblitz]

We process our credit cards through a POS ethernet terminal. When an order comes in it uses the 'Credit Card' payment class. The first 4 and last 4 card digits and the expiration date get stored on the order (unencrypted). The middle 8 digits get stored in the database in a different non-descript table than the 'orders' table. When an order is printed out, it pulls the first 4 and last 4 card digits and the expiration date from the database. It also pulls the middle 8 from the non-descript table and puts them together on the invoice paper print-out. As soon as the print out is done, the middle 8 digits are automatically erased from  the non-descript table in the db. The paper print out is done over https.

Here's my question, is this secure and if not what can I do to improve this system's security?

Thanks! I'm going over the PCI compliance stuff and want to get it done correctly.

[DunWeb]

@packblitz

You CANNOT collect credit card information in that manner UNTIL YOU ARE ALREADY PCI DSS COMPLIANT.  Also, the credit card module you are using will NOT pass PCI DSS compliance standards.



Chris

[packblitz]

Specific to the printing of invoices, is that secure?

[MrPhil]

I hope you're not printing out the entire credit card number on the customer invoice! That is never done. It would most definitely not be PCI compliant.

[packblitz]

We don't send that invoice in the mail with the full card number. It's just so we can enter it in the POS terminal.

[MrPhil]

PCI compliance aside, most merchant accounts forbid the use of in-store POS terminals to process web (or any other non-in-person) card transactions. Having a physical card in hand is lower risk of fraud, and they can charge lower fees. If they catch you doing what it sounds like you're doing, you'll catch hell from them.