Jump to content
Sign in to follow this  
Rubin Remus

PCI Compliant E-mail Module

Recommended Posts

Hello everybody,

 

I am currently building a site for a client who requires payment details to be e-mailed to him. Before everybody explains how insecure this can be, I'll shed a little more light on the subject.

 

He is very aware of the dangers of transmitting and storing unencrypted data and non-PCI Compliant information, but I need to figure out a way to make this be PCI Compliant. The reason he wants them e-mailed to him is because he is selling stock from a shop as well as online, and if he sells the last of a particular item from stock in the shop, and ten minutes later somebody purchases it online, typically, payment will be taken at that point, and he'll have to refund it, or order it in, and his suppliers can't be too quick with their deliveries at times. In the UK it is illegal for him to say that he has it in stock if there's a chance that he doesn't, so he'd rather have the details and process it as CNP after despatch only.

 

OR, if the above isn't possible, is there a module which will allow him to process the payment online AFTER despatch?

 

To be honest, I would rather he used an off-site payment gateway for reasons of security, but he's the customer, I can't make that choice for him.

 

Any help, suggestions or advice would be superb! Thanks for reading!

Share this post


Link to post
Share on other sites

Having installed it, I can answer my own question. It is NOT EVEN CLOSE to being PCI-Compliant!

 

It stores the data in the database totally unencrypted and in plain text.

 

Does anyone know how to make this securely encrypted?

 

Thanks.

Share this post


Link to post
Share on other sites

His best options would be to use a payment gateway and take deferred payments - I know SagePay can do this but I'm sure others can as well - that way the credit card is authorised but payment is not taken until "released" i.e. at the time of dispatch

Share this post


Link to post
Share on other sites
His best options would be to use a payment gateway and take deferred payments - I know SagePay can do this but I'm sure others can as well - that way the credit card is authorised but payment is not taken until "released" i.e. at the time of dispatch

This is exactly what I told him about an hour ago, and now he's gone for that, despite the extra expense.

 

Thanks for your comment though, it made me a little more sure of myself!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×