Online Credit Card Storage? [closed]

Answer 1

This is a major violation of PCI rules. You can obtain the documents here: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml It would be smart to go third party like Google Checkout or something similar. Becoming PCI compliant is a big headache and involves annual reviews (may be self assessed), which can include penetration testing, etc. If you really examined it, he probably does not need to have access to the credit card information at all, just the transaction ID. Not only do you need to encrypt the data, you must have an elaborate scheme for protecting the encryption keys. This is much bigger than what a small business wants to get into. Some of the advice above sounds good, but it does not meet the PCI specification. Read the documents and you will quickly see it is a large undertaking. I currently support an in house PCI compliant system and had to spend significant effort to get it up to standards. We also had to make a number of network changes as well. It will be cheaper for the business to convert to third party.

Answer 2

Using a 3rd party credit card processing gateway obviates the need for storing credit information on the client's server - the POST'ed cc info is passed along to the processing gateway which returns a transaction id that can be used for record-keeping by your client.

A credit card payment gateway is provided by companies like Authorize.net, LinkPoint Central - even PayPal is getting into the game. All the major gateways have existing code for integrating a shopping cart with most of the popular web programming platforms (.NET, PHP, Java, etc.). Plus most major shopping carts support the major gateways out of the box, or at the very least have installable modules for most gateways.

So, your client should get an internet payment gateway setup and you should integrate their existing code with the gateway.

Answer 3

That is a violation of PCI DSS. Not only are you storing information you aren't supposed to be storing (CVV) but you're not encrypting the credit card number (also a violation).

Even worse he is violating Visa and MasterCard guidelines which state that all online transactions must be processed using an ECI compliant device or software and Internet orders must have a separate merchant account. Their credit card terminal is definitely not ECI compliant as none are. They need to get a new merchant account and use a payment gateway like Authorize.Net to process these orders.

Edit

Since I doubt the webbsite owner will actually bother to get a new merchant account or implement a payment gateway your best bet is to use two way encryption to store this information. Then make sure the page they use to retrieve the credit card information is encrypted (SSL cert) so the information is secure from end-to-end.

I highly recommend getting an Internet merchant account and using a payment gateway like Authorize.Net. Besides being PCI and ECI compliant and just the smart way to go, the potential for the business to not only lose their merchant account but to be blacklisted and prohibited from ever have a true merchant account again is very high. All it takes is one chargeback for their merchant account provider to realize what they are doing and for the trouble to start.

Answer 4

It is definitely a violation of PCI rules. However, it shouldn't be that hard to add encryption to the stored data, especially if it's rare a human will have to look at it.

Having worked for a third party credit card transaction processing company, I highly recommend it if their system is that bad. However, you'll still need to encrypt that information, or not store it at all after it's sent to the TPP. The TPP really works for the merchant, so they can help you with any compliance issues and help you get the best interchange rates.

Answer 5

There are lots of third party payment providers for you that will deal with all security and compliance issues.

For any small to medium businesses this is one function that should definitely be outsourced to those with expertise.

Answer 6

Correctly protecting payment data is a complex topic. Even very large companies sometimes have large numbers of credit cards stolen from their systems.

At a minimum, here are steps to consider:

• Ensure the online order form is using HTTPS to capture data.
• If the DB and web server are different boxes, ensure a secure path between them.
• Encrypt the payment data in the DB. MySQL Reference.
• Ensure strong access control to the back-end web page (is it physically accessible to the outside world? Does it require a strong password? Is it HTTPS?)
• Ensure there are no logs (e.g. debug log) that end up writing the payment info to the file system.