Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

toyicebear

New regulations for manually processing credit card information.

Recommended Posts

The Payment Card Industry Data Security Standard (PCI DSS) applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data.

 

If you are one of the above, PCI Compliance is not a request, or suggestion, it is now a requirement.

 

However, according to the PCI DSS documentation, "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply."

 

By the end of 2007, any organization that accepts payment card transactions must be in compliance with the standards.

 

Credit card companies and acquirer banks can levy stiff fines and remove the merchant's ability to process credit card transactions until the merchant is PCI compliant.

 

 

Details on the requirement can be found at PCI Security Standards Council

Share this post


Link to post
Share on other sites

If you are PCI compliant you are alowed to store the following info:

 

- Account Number

- Cardholder Name

- Expiration Date

- Service Code

 

The following info you are NOT alowed to store even if you are PCI compliant.

 

- Magnetic Strip

- CVV/CVV2

- Pin Data

Share this post


Link to post
Share on other sites

What Happens If My Business Does Not Become PCI Compliant?

 

PCI Compliance is a requirement of your contract with the credit card companies. If you do not make your business PCI compliant, you are in violation of your contract. The credit card companies can take the following actions if your business does not abide by the security standards.

  • Visa may charge your business up to $500,000 per incident if your network and the information of consumers is compromised.
  • You may be banned from allowing your customers to use credit cards issued by the company that finds your business non-compliant.
  • If you do not notify the companies of probable or actual violations or thefts of our customers’ information, you will also be fined. Again, Visa can charge you as much as $100,000 per incident.
  • Other fines may be charged if the credit card company feels that the your company’s violations pose a risk to the credit card company and/or its members.

Share this post


Link to post
Share on other sites

I did some work for a business that wasn't fully PCI compliant but since showing them this thread has got their act together.

 

* Visa may charge your business up to $500,000 per incident if your network and the information of consumers is compromised.

* You may be banned from allowing your customers to use credit cards issued by the company that finds your business non-compliant.

* If you do not notify the companies of probable or actual violations or thefts of our customers’ information, you will also be fined. Again, Visa can charge you as much as $100,000 per incident.

* Other fines may be charged if the credit card company feels that the your company’s violations pose a risk to the credit card company and/or its members.

 

definitely some hefty fines!

Share this post


Link to post
Share on other sites

For those who wish to be compliant and also wish to have the highest security (Both for users and also to protect you the shop owner from fines etc) the use of an online payment gateway to process your payment is your best bet.

 

Your business bank or your merchant account provider should be able to point you in direction of a suitible provider for your needs.

 

It also might be a good idea to shop around some, there are many payment gateway re-sellers who gives great start-up offers.

 

As a starting point, here are just some of the payment gateway solutions available.

 

US

 

Authorize.net

PayPal PayFlow Pro

LinkPoint

Trust Commerce

 

EU

 

Protx

MetaCharge

SecPay

ChronoPay

 

Scandinavia

 

Dibs

 

Asia Pacific

 

Paymentexpress / DPS PxPost

 

International solutions

 

WorldPay

PayPal

2Checkout

 

 

This is just a short list to get you started, there are ofcourse alot more international and local country payment gateway providers out there and some banks even have their own payment gateway solutions like for instance HSBC.

Share this post


Link to post
Share on other sites

Pretty serious stuff! Thanks for the info.

 

Funny, we have been processing credit cards for over 8 years (through the acquirer Moneris) and this is the first I have ever heard of "PCI", even though we process up to $80,000 in transactions per year.

 

It has always been our practise to take card info over the phone (we're a mail-order business), store it in a password-protected PC that is NEVER connected to the internet (we use this one PC for all customer data storage and invoicing), and submit the sales info to Moneris via an IVR touch-tone phone system. I guess this is low-tech enough to be pretty secure.

 

As I described in another post, we are installing osCommerce, but due to our low volume, we intend for now simply to harvest the credit card info from the secure area on the server (and then delete it from there), and process with our usual procedure. We're not using the invoice or packing slip features of osC either, as we have our own set up on our PC. So the osC storefront on our website is just another means for our customers to order from us, 24/7.

 

Still, even the most responsible person can endanger the security of customer information if proper procedures are not worked out in advance. I was working on our database one day, and making backups onto a USB flash drive, the size of a pink rubber eraser. I could easily have gone out of the office with it in my pocket. The fact that this could so easily happen, in anyone's business, made me aware that one must always have safe procedures in place for handling such valuable data. As merchants, we should aim to be as careful as the most "paranoid" of our customers.

Share this post


Link to post
Share on other sites

OK, I've done a bit more reading of related posts. I have gathered that since our site is hosted on a shared server, and since the data will "sit" on it for a little while before we delete it, this set-up would not be PCI-compliant.

 

My version of osC includes the Credit Card module feature that emails the merchant a section of the CC#, while the other section is stored on the server. I guess this would be closer to compliant, anyway.

 

But close only counts in horseshoes... :unsure:

Share this post


Link to post
Share on other sites
OK, I've done a bit more reading of related posts. I have gathered that since our site is hosted on a shared server, and since the data will "sit" on it for a little while before we delete it, this set-up would not be PCI-compliant.

 

My version of osC includes the Credit Card module feature that emails the merchant a section of the CC#, while the other section is stored on the server. I guess this would be closer to compliant, anyway.

 

But close only counts in horseshoes... :unsure:

 

Im not sure how you are intending to use Moneris eSelect Plus. I am currently using this on my website.. however I have removed all CC fields from my database and do not store any CC information. Moneris hasnt asked me for a PCI certificate but in my case.. I wouldnt need it since I don't store that information if they ever asked. I suppose that unless you are doing recurring billing.. there is no need to store CC information (unless you want to give your customers a way for quick purchasing) with osC and so many people in the world looking to exploit the software.. I wouldnt store it.. and even with recurring billing.. this can be entered into the Moneris website manually

Share this post


Link to post
Share on other sites

I don't think we use eSelect Plus (not familiar with the name). We used to fill out paper sales draft slips and take them to the bank. When Moneris phased out paper, they offered us the IVR procedure to use with our touch-tone phone. The customer provides us their information via phone or fax, and we then phone it in to Moneris's automated IVR system, and the money lands in our bank acct. the next day.

 

With this set-up, from what I understand, PCI compliance only applies to the PC (not connected to the internet) that we store the info on. Yes, we have the option of not storing this info, but as it's on a password-protected non-networked PC, I think from what I've read that our procedure would be PCI compliant. Even Moneris expects us to store this sales info - when there is any mix-up, even months-old, they want all the details of the transaction including the customer's CC#. How could such things ever be straightened out if we had no record of the information we had input to their system?

 

Now that we wish to collect sales info over the internet, PCI compliance issues affect our host's server as well, which is likely NOT PCI-compliant. I wonder if it is sufficient that we use the part of the osC Credit Card module that splits up the CC#, sending a section of it immediately to the merchant via email, and only storing the remaining 8 digits? Does the whole CC# ever reside on the host's server, even for an instant? Anyone know?

Share this post


Link to post
Share on other sites
I don't think we use eSelect Plus (not familiar with the name). We used to fill out paper sales draft slips and take them to the bank. When Moneris phased out paper, they offered us the IVR procedure to use with our touch-tone phone. The customer provides us their information via phone or fax, and we then phone it in to Moneris's automated IVR system, and the money lands in our bank acct. the next day.

 

With this set-up, from what I understand, PCI compliance only applies to the PC (not connected to the internet) that we store the info on. Yes, we have the option of not storing this info, but as it's on a password-protected non-networked PC, I think from what I've read that our procedure would be PCI compliant. Even Moneris expects us to store this sales info - when there is any mix-up, even months-old, they want all the details of the transaction including the customer's CC#. How could such things ever be straightened out if we had no record of the information we had input to their system?

 

Now that we wish to collect sales info over the internet, PCI compliance issues affect our host's server as well, which is likely NOT PCI-compliant. I wonder if it is sufficient that we use the part of the osC Credit Card module that splits up the CC#, sending a section of it immediately to the merchant via email, and only storing the remaining 8 digits? Does the whole CC# ever reside on the host's server, even for an instant? Anyone know?

 

eSelect Plus is Moneris' Online Transaction Service..

 

The CC information should only reside in the users session memory space.. when the user clicks 'confirm' the CC information is POSTed via SSL to Moneris Servers. Moneris then returns with some information to osCommerce which then destroys the session variables associated with the CC information whether approved or not. CC information should not be stored anywhere by your host at anytime.

 

As for maintaining CC information.. I dont maintain it.. and the Moneris eSelect Plus integration guide doesnt say to maintain it either. The transaction itself has a Moneris ID associated with it.. incase you need to look it up.. I save all Moneris Transaction emails (transactions not face to face) and all Receipts (signed, when face to face of course) .. im pretty sure thats all thats necessary..

Share this post


Link to post
Share on other sites

UPDATE

 

My website now has a PCI certificate of compliance from Trustwave (Trustkeeper).

 

For anyone interested in the steps involved, I posted them here, in a thread I started about PCI compliance.

Share this post


Link to post
Share on other sites

Just remember;

 

CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data and applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Compliance with CISP means compliance with the PCI Data Security Standard with the required program validation.

 

Even if you don't store the data, if you transmit the information to you acquirer, you must be PCI compliant.

 

However, if you don't store CC information, you may fall under the SAQ Validation Type 1-4, which requires a less stringent self-assessment to be performed. A low volume business (level 4) may also only need to complete an annual vulnerability scan. Level 4 business requirements for PCI compliance seems to be governed by the merchants acquirer - so contact your bank provider for information on what is required of you. According to VISA, there is no set date for a Level 4 business to obtain compliance.

Share this post


Link to post
Share on other sites

what if we have a dedicated IP Address and SSL Certificate - is that sufficient enough to accept payment through paypal on my website? That is what we have been doing currently..

 

Henrik

Share this post


Link to post
Share on other sites

what if we have a dedicated IP Address and SSL Certificate - is that sufficient enough to accept payment through paypal on my website? That is what we have been doing currently..

 

Henrik

 

Depends on which PayPal method you use.

 

If you use PayPal Pro, then no its not enough...you will need to go through the PCI process.

 

If you use any of the other PayPal methods then you are in the clear. (Standard/IPN/Express)

Share this post


Link to post
Share on other sites

Hi,

Question, I'm working on a site that uses the authorize.net gateway. However the card is still being stored in the mysql db. Is there a workaround to prevent this from happening? Thanks!

 

Steve

Share this post


Link to post
Share on other sites

Hi,

Question, I'm working on a site that uses the authorize.net gateway. However the card is still being stored in the mysql db. Is there a workaround to prevent this from happening? Thanks!

 

Steve

 

Change to one of the other authorize.net modules which do not store the cc info ( look here )...or modify the one you have to not do so...

Share this post


Link to post
Share on other sites

Change to one of the other authorize.net modules which do not store the cc info ( look here )...or modify the one you have to not do so...

 

Don't forget to run a credit card clearing script to delete all of the information related to the credit card storage on the database.

 

I have been fixing site after site that have been hacked due to poor set up etc.

 

Heck one site even had all of the credit card information emailed to a gmail account, with no idea how long that was happening.

 

It is pretty scary actually how little protection most sites have in place to protect customers credit card data.

 

cheers


Peter McGrath

-----------------------------

See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation

Share this post


Link to post
Share on other sites

×