Credit card information

[gtarplyer2010]

Hi, I'm using v 1.50, I have a question.

I know v1.50 is supposedly PCI compliant. I'm being asked by the PCI verification people whether I have any cardholder information in the MySQL database.

The credit card number I do see in my data base is a partial number with some digits X'd out, like 1234XXXXXX5678. In the case of Mastercard however, I think there are only 2 digits XX'd out. This does make it easier to guess the full number if I'm hacked ;)

And, there is the Credit card expiration data in the database. I think possibly even the CVV code, tho I'm not sure about the CVV.

Anyway, my question is this: IS there a way where I store NONE OF THESE in the database? I don't care about the partial credit card number, I don't care about the expiration data either. That info gets transmitted to PayPal Payflow Pro (in my case), so I have no need for the information any longer. And I'd like to get the PCI people off my back once and for all.

They don't seem to know / care that I'm using ZenCart v1.50, they keep asking about the darn database. And I'd like to be able to tell them that I have NO CREDIT CARD INFO AT ALL.

Thanks for any help. Is there way to configure ZenCart to not even store partial credit card info?

[DrByte]

Zen Cart v1.5.0+ only stores information approved by PCI standards, such as up to first 6 digits (ZC only stores first 4) and last 4 digits of a credit card number and no cvv/expdate data.

Older versions were less stringent, for various reasons, but that's immaterial now.

As far as scrubbing old inappropriate data from your database (such as if you've stored it by using old addons), there's a section in the /docs/Implementation Guide.pdf file that addresses all of that. You really ought to read the entire guide, as it outlines important things you need to know about PCI matters.

[gtarplyer2010]

Thank you. I'll read the docs. Sounds like you're saying there is no way to wipe out even the PCI compliant credit card info.

Either way, thank you :)

[DrByte]

The information is stored for reference reasons, since it's appropriate to be able to let the customer see that information.
It's also there for administrative reasons.
Thus there are no tools provided for wiping data that doesn't need wiping because it's already compliant.
Besides, new transactions would add more data that you'd then need to wipe ... and round and round and round you go, needlessly. You're not going to fail an audit for storing compliant data.


.