My client wants to Store Credit Card numbers encrypted in the database on the server

[the_ancient]

@the_ancient, I think you are mistaken about this.

There is a difference between being illegal and in violation of PCI standards. It is not illegal to be in violation of PCI standards. PCI standards are a "best practices" approach that may be required by some credit card companies.

Most shopping carts do not encypt customer names, addresses, etc., in their databases, although it may be a good idea to do so given the data security laws with states such as California.

I have worked on many e-commerce sites and I have never seen one that fulfills all of the PCI requirements.

Personally, I think it is insane to store credit card info that can be unencrypted and displayed in an Admin area. Admin passwords can be broken. Yet, I have seen many e-commerce systems that do allow credit card details to be displayed. I cringe every time I see this.

Jan 1 2008 all merchants were REQUIRED to be compliant with PCI, before that it was optional

PCI has differant levels for different ranges of Transaction, and you only have a be compliant if you store the CC data, most stores done, so they dont have to worry, but if you are staring number after jan 1 2008 you better be PCI compliant or face Fines or Suspension of your CC processing Privileges

[the_ancient]

Well thats the thing... they use Cyberstrong eShop which although encrypts the data in the Access database, you can see it all unencrypted in the Admin area. Even the CVV number. You can also download the eShop Access database by going directly to it in the browser (if you knew the path) and this does not require a password to open.

So I am trying to convince them to use Zencart and have the split number sent to an email address to improve this, but they are so used to clicking a link to see all the cc details in their Admin they dont want to change. They also think having a SSL prevents all these issues, so they have been miseducated.

So I am hoping these standards convince them they should change their system.

Thanks

1> Splitting the CC Number is not PCI Complaint Security, hell it can barely be considered "security" email is very insecure, I would not want any, even part, of my card number in a email....IMO this option should have been removed from OSC/Zen a long time ago


2. Why dont they use a Gateway, This is a standard way to process Credit Card over the net, they may want to check with the merchant provider as well, as some will not allow you to collect CC data and process the Data offline, Ecommerce and "phone" transactions must be handled differently

[the_ancient]

Also you need to express to your client that storing CVV data has never been authorized, they may or may not get busted on the PCI right now as it is new, however if they are caught storing CVV data they will lose their merchant account and they account will be flagged and they will more than likly never be able to process Credit Cards again....

NEVER EVER EVER EVER EVER EVER EVER store cvv data

[Tech-E]

PCI has differant levels for different ranges of Transaction, and you only have a be compliant if you store the CC data, most stores done, so they dont have to worry, but if you are staring number after jan 1 2008 you better be PCI compliant or face Fines or Suspension of your CC processing Privileges

OK, that makes sense. I plan to use Authorize.net for a new store. My merchant account bank (an Authorize.net partner) requires an audit of my site, but PCI compliance has not been raised as an issue. They seem to be more concerned about SSL and return policies.

[Tech-E]

I found a link on the Authorize.net site that points to a page that defines the merchant levels for compliance.

trustwave.com/pciDataSecurityStandard.php