Originally Posted by
DrByte
It is (basically) illegal to store credit card numbers directly on your store's database, since (I can almost guarantee based on your question that) you've not built yourself a multi-million-dollar datacenter to the required security specifications to allow you to store such sensitive information.
This is NOT a Zen Cart issue. This is a credit card security and fraud prevention issue, which you'll find in ALL online store systems.
If you don't understand or if you disagree, talk to your bank directly and tell them that you want to store unencrypted credit card numbers on the internet. And watch their reaction. They'll educate you quickly ... or cancel your bank account.
That is why Zen Cart only stores maximum 10 characters, and the middle 2 characters are XX. Thus the sensitive information can never be stolen.
If you're trying to change the way Zen Cart works and intend to store credit card numbers unencrypted in your database, then you're assuming all the risks of fraud, and should be setting aside tons of money for the fees you'll pay in fraud investigations.
I know there's a CEON credit card module which sends information by email. If that's what you're using, then perhaps you need to investigate its proper use more thoroughly.
As Dr Byte says, you risk EVERYTHING - including your livelihood and future. I don't suppose you are aware of this story:
In 2010, Genesco was the victim of "a sophisticated cybercrime attack," according to court papers available on Wired's Web site, which was the first to report the lawsuit. Criminals installed a packet sniffer on Genesco's networks to gather unencrypted card-swiped transactions during the authorization process. "Notwithstanding this circumstance, the PCI DSS not only does not prohibit, it actually expressly approved, unencrypted transmission of mag-stripe-swipe transaction approval data," according to the court document.
Genesco claims thieves never accessed data stored within the company's network, in part because Genesco rebooted its servers which overwrote any log files with sensitive cardholder data before hackers could accessed it. Nonetheless, Visa alerted all of its account holders who'd made a purchase at a Genesco store from Dec. 4, 2009 to Dec. 1, 2010 that their private data may have been compromised.
In May 2011, providers Fifth Third Financial and Wells Fargo, and in turn Genesco, were fined $13,298,900 for PCI DSS violations and expenses incurred over the breach and resulting fraudulent charges.
Both Visa and Mastercard fined the companies for a combined $15.6 million, but only Visa is named in the current lawsuit. In a January SEC filing, Genesco reported $2.1 million in legal and consulting fees related to the data breach.
Only one other related lawsuit has been reported in the United States, and that one involved a $90,000 legal dispute between a Utah restaurant chain and US Bank, which sued each other after the restaurant failed to secure its network and suffered a data breach that resulted in fraud and PCI penalties, according to Wired.
Bookmarks