I am about to inherit and work on a small business retail website that is very poorly designed. Among other things, the greatest concern is with the current credit card processing.
Currently, the owner retrieves credit card information (name, number, CVV2 and expiration date) from an online order form and saves all of that information in plain text within a MySQL database. A notification then gets sent to his email that someone has ordered. Thereafter, he has an administrative back-end page that he views the orders and credit card information which he uses to process offline with his own merchant.
After retrieving the information from the back-end page, the credit card number and CVV2 is immediately deleted (PHP script automatically called). The information is also deleted if that page is not accessed within 7 days. So, there is a potential for all of the information to be in the database in plain text for seven days before transaction processing.
This does not seem like a good design and may be illegal. If it is illegal, I am going to have to break this to him, because he does not realize that yet.
My question: Besides being insecure, is this illegal or a violation of terms of use (PCI DSS)? And, if so, how can I prove it to him so that he will allow me to change his ways (obviously, I don't want to put my hands into something that is illegal. Also, sometimes the wording of terms of use can seem subjective)? Finally, what are the best options for fixing this issue (3rd party online merchant, becoming PCI DSS compliant, or something else)?
That is a violation of PCI DSS. Not only are you storing information you aren't supposed to be storing (CVV) but you're not encrypting the credit card number (also a violation).
Even worse he is violating Visa and MasterCard guidelines which state that all online transactions must be processed using an ECI compliant device or software and Internet orders must have a separate merchant account. Their credit card terminal is definitely not ECI compliant as none are. They need to get a new merchant account and use a payment gateway like Authorize.Net to process these orders.
Edit
Since I doubt the webbsite owner will actually bother to get a new merchant account or implement a payment gateway your best bet is to use two way encryption to store this information. Then make sure the page they use to retrieve the credit card information is encrypted (SSL cert) so the information is secure from end-to-end.
I highly recommend getting an Internet merchant account and using a payment gateway like Authorize.Net. Besides being PCI and ECI compliant and just the smart way to go, the potential for the business to not only lose their merchant account but to be blacklisted and prohibited from ever have a true merchant account again is very high. All it takes is one chargeback for their merchant account provider to realize what they are doing and for the trouble to start.
This is a major violation of PCI rules. You can obtain the documents here: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml It would be smart to go third party like Google Checkout or something similar. Becoming PCI compliant is a big headache and involves annual reviews (may be self assessed), which can include penetration testing, etc. If you really examined it, he probably does not need to have access to the credit card information at all, just the transaction ID. Not only do you need to encrypt the data, you must have an elaborate scheme for protecting the encryption keys. This is much bigger than what a small business wants to get into. Some of the advice above sounds good, but it does not meet the PCI specification. Read the documents and you will quickly see it is a large undertaking. I currently support an in house PCI compliant system and had to spend significant effort to get it up to standards. We also had to make a number of network changes as well. It will be cheaper for the business to convert to third party.
There are lots of third party payment providers for you that will deal with all security and compliance issues.
For any small to medium businesses this is one function that should definitely be outsourced to those with expertise.
Using a 3rd party credit card processing gateway obviates the need for storing credit information on the client's server - the POST'ed cc info is passed along to the processing gateway which returns a transaction id that can be used for record-keeping by your client.
A credit card payment gateway is provided by companies like Authorize.net, LinkPoint Central - even PayPal is getting into the game. All the major gateways have existing code for integrating a shopping cart with most of the popular web programming platforms (.NET, PHP, Java, etc.). Plus most major shopping carts support the major gateways out of the box, or at the very least have installable modules for most gateways.
So, your client should get an internet payment gateway setup and you should integrate their existing code with the gateway.
Correctly protecting payment data is a complex topic. Even very large companies sometimes have large numbers of credit cards stolen from their systems.
At a minimum, here are steps to consider:
- Ensure the online order form is using HTTPS to capture data.
- If the DB and web server are different boxes, ensure a secure path between them.
- Encrypt the payment data in the DB. MySQL Reference.
- Ensure strong access control to the back-end web page (is it physically accessible to the outside world? Does it require a strong password? Is it HTTPS?)
- Ensure there are no logs (e.g. debug log) that end up writing the payment info to the file system.
It is definitely a violation of PCI rules. However, it shouldn't be that hard to add encryption to the stored data, especially if it's rare a human will have to look at it.
Having worked for a third party credit card transaction processing company, I highly recommend it if their system is that bad. However, you'll still need to encrypt that information, or not store it at all after it's sent to the TPP. The TPP really works for the merchant, so they can help you with any compliance issues and help you get the best interchange rates.
来源:https://stackoverflow.com/questions/2240705/online-credit-card-storage