Jump to content

Archived

This topic is now archived and is closed to further replies.

mouschi

best way to store credit card #s?

Recommended Posts

I have a client who has oscommerce and wants to store credit cards so he can run them in his separate terminal. He doesn't have authorize.net or anything like that. What is the best way to securely store these card #'s? Email? write to a file that isn't web accessible? Any ideas GREATLY appreciated!

Share this post


Link to post
Share on other sites

Dexter,

 

If you collect credit card information of ANY kind, your site must be PCI DSS compliant. PCI DSS compliance is COSTLY, ranging from $6000.00-$10,000.00 to qualify and maintain. Of all of my clients, I have only ONE that has pursued and recieved compliance and he justified the cost because his website has an annual revenue over $500,000.00 / yr.

 

However, most do not take that route and used only merchant processing companies like authorize.net, PayPal, Linkpoint, Beanstream and others.

 

You should read the link above and inform yourself so you can review your clients options with them. The PCI DSS compliance process is NOT easy and requires a great deal of personal and business information (credit checks, credit history, citizenship check, personal guarantee's if needed, etc etc) to complete.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

WOW - so are you saying it is illegal basically to store / transmit credit cards other than sending it through somewhere like authorize.net? Not even email or store as a text file? Is this a new thing? Thanks

Share this post


Link to post
Share on other sites

Dexter,

 

Any type of electronic receipt of credit card information is covered under PCI DSS compliance. Basically, unless you have the card in your hand and swipe it into the machine, you require PCI DSS compliance.

 

The work around for this is to have the customers complete an authorization form and FAX or MAIL it to the store owner so the store owner can enter the information into a virtual terminal and process the transaction. Notice I said virtual terminal ? This is because most merchant terminals (in your store) will no longer allow you to manually enter the card information into the machines. Some still do, but they are changing because of Chip Technology and increased security protocols.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

No, it has been around for a while.

 

It is not difficult to achieve just you need to have a technical "Team" that can ensure your site is secure.

 

The card industry do not want any horror stories of card details being stolen and so want to ensure anyone who hold cc details for even a fraction of a second have everything tied down,

 

Have a look at the number of osc site that are hacked at the moment, there are thousands out there, and you will understand why these rules are in place.

 

Use PP or protx or ......

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Thanks Chris - I assume your response means that credit cards in no way shape or form are to be stored on the server or sent via email, no matter what. I do pay for pci compliance at $180 or so a year, but I think that is only so I can take credit cards myself. I have other clients that use places like authorize.net but card data is sent to them over https, and I'm sure there are no problems in doing that since I don't store it anywhere. It automatically just sends to authorize.net.

Share this post


Link to post
Share on other sites

PP is PayPal.

 

Your $180.00 /yr is not PCI compliance, it simply allows you to have a terminal which transmits via SSL encryption. It does not however indemnify you of liability should your clients credit card information be compromised while in your care. (that's another topic for another time)

 

 

As I said, you will have to review PCI DSS compliance policies and talk it over with your client to see if they wish to pursue compliance or not.

 

IMPO, it is just easier to use a online processing company to do it because their rates are similar to what your client would pay by processing manually. The added bonus is, your client is never responsible for the credit card information.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

yeah i think i'm gonna have him do paypal, or have it go over ssl to authorize.net or something instead. thanks!

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

How long has PayPal been a merchant processing company?

 

PayPal will store your credit card and will process it through their payment gateway and merchant bank but it is neither a payment gateway nor a merchant bank - just ask them!


My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Share this post


Link to post
Share on other sites

×