Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Storing Credit Card Numbers - Risky?


netstep

Recommended Posts

What are the security risks/fixes for storing credit card numbers in mySQL DB?

 

I just installed Authorize.net AIM in SSL secured store.

http://www.oscommerce.com/community/contributions,4091

The payment module works super smooth, but it stores CC# in the database unencrypted.

 

In general this freaks me out because I don't know what the osC hack risks are.

I don't want to be at risk or put my customers at risk of some nasty personal data loss lawsuit.

 

I asked my hosting company about the risks. They responded:

The MySQL database is setup in a secure manner. The more likely point of attack would be your oscommerce installation, so please make sure to keep it up to date.

and

The database is fairly secure. However, I would suggest encrypting the numbers if possible. An exploit of your php scripts would probably give the attacker access to the database and numbers since the script would need the login information to use authorize.net.

 

Does anyone know how to scramble the CC# for Authorize.net so they look like 4001********2345?

 

I posted this question in the 4091 support forum, but I think it is more general to OSC as a whole.

http://www.oscommerce.com/forums/index.php?sho...=199381&st=102#

Sam M. - Seattle

Link to comment
Share on other sites

Read up on CISP and PCI regulations:

 

If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.

 

Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.

Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.

Link to comment
Share on other sites

Credit card companies have very strict security requirements for online merchants regarding data storage security. Last year in the US, there was talk of extending data security laws that financial institutions are bound by to include merchants who accept credit cards as well, but I don't know if the extension was ever passed. If you are using OSC, there is an extremely good chance that you are not equipped to meet credit card industry data storage requirements. If you are caught storing numbers, at the very least you'll probably lose your merchant account.

Link to comment
Share on other sites

with all the different payment modules, etc, how does a person even know if the CC# is stored in the dB? Is there a common spot for it? I know mine show up on my invoices, with middle #'s masked, but im assuming the numbers are not stored in the dB.

 

Any simple ways of checking?

Link to comment
Share on other sites

Any simple ways of checking?
You should be able to run a test transactions. Whatever is in the DB will be displayed in the Order Details. Your payment module should explain how to run a test transactions.

Sam M. - Seattle

Link to comment
Share on other sites

  • 1 year later...
Credit card companies have very strict security requirements for online merchants regarding data storage security. Last year in the US, there was talk of extending data security laws that financial institutions are bound by to include merchants who accept credit cards as well, but I don't know if the extension was ever passed. If you are using OSC, there is an extremely good chance that you are not equipped to meet credit card industry data storage requirements. If you are caught storing numbers, at the very least you'll probably lose your merchant account.

 

A friend told me that if my website stores CC numbers and if a hacker stole those numbers, I may be liable to lawsuits of hundreds of thousands of dollars. Is this correct? If so, how do we set up my osCommerce site so that the CC is not stored in the DB?

 

My friend told me to do a "Vulnerability Test", which tests to see how easy it is to steal the CC numbers. This test costs $2-3K. Does anybody have experience with this and if it is necessary?

 

I'm building this e-commerce store for a client. Do I need a legal agreement with my client to indemnify myself from hackers that screw up the website, fraud, steal products, etc.?

Edited by curt0
Link to comment
Share on other sites

A friend told me that if my website stores CC numbers and if a hacker stole those numbers, I may be liable to lawsuits of hundreds of thousands of dollars. Is this correct? If so, how do we set up my osCommerce site so that the CC is not stored in the DB?

 

My friend told me to do a "Vulnerability Test", which tests to see how easy it is to steal the CC numbers. This test costs $2-3K. Does anybody have experience with this and if it is necessary?

 

I'm building this e-commerce store for a client. Do I need a legal agreement with my client to indemnify myself from hackers that screw up the website, fraud, steal products, etc.?

I would never ever store CC numbers in my db, nor would I accept responsibility in the future for what may or may not happen. You can only act on what is known at the time, or can reasonably expect to happen in the future.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...