Finishing up my PCI compliance and am wondering:
I Am using offline processing with Zencart with SSL, is the extra CC info sent to me by email (comes in 2 seperate email) secure???
Finishing up my PCI compliance and am wondering:
I Am using offline processing with Zencart with SSL, is the extra CC info sent to me by email (comes in 2 seperate email) secure???
No!! It is not sent encrypted nor secureFinishing up my PCI compliance and am wondering:
I Am using offline processing with Zencart with SSL, is the extra CC info sent to me by email (comes in 2 seperate email) secure???
Zen-Venom Get Bitten
If email is a non-secure way to send additional CC info (for offline processing), then how can you access all the CC info needed, securely through Zencart?
Peacefull Pillows
Handcrafted Organic Comfort
Sending both emails to the same address is certainly not a secure approach.
You'll need to ask your PCI person whether they will pass you if the credit card digits are supplied to you in separate emails. I've seen many people pass compliance by sending the middle digits to an email address that's stored on another domain on another server separate from the one where your order confirmation emails are sent.
And then of course deleting those emails once you've processed the orders.
In the simplest sense sending the middle digits via email, and leaving the outer digits on the server, is secure. But having 2 emails sent to the same place containing the sum total of all digits is ... dangerous, for the reasons kobra mentioned.
But ... a much safer and secure approach is to use a payment gateway service that processes the card in real time. That also gives the customer immediate access to whatever they've purchased ... which is important if you're selling digital goods. There's the added cost of a monthly fee for live processing, which can be a minor deterrent for some in the early stages of business, or so some say. It's a lot less work to have it done live than to have to process them manually later, especially if the card is declined for some reason ... the gateway would have caught that immediately and the customer would have to sort it out, rather than you having to contact them and work out other arrangements or try other cards etc etc etc.
HTH
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Thanks for all the great information, I really appreciate it! Where would we be without folks like you, keeping us straight.
I will set things up the way you suggested, having CC info come to another separate domain on separate server, until I am ready for a payment gateway.
Peacefull Pillows
Handcrafted Organic Comfort