My client wants to Store Credit Card numbers encrypted in the database on the server

[infocom]

Hi
I recently convinced someone to move to Zencart from Cyberlink eshop. I have finished everything and just about to go live when he states he needs to view the order with all credit card details showing. His Cyberlink eShop does this. I checked the eShop databse (MS Access) and all the cc details are encrypted so its OK. He does not want half the number in the DB and half emailed, thats not his internal process.

So how can I encrypt the cc details in the DB, and then unencrypt them to view on the Order web page? Is all SSL enabled so thats OK too.

Thanks

[the_ancient]

You would have to customize the check out pages and probally the database tables to store the CC as encypted data, and then have a function on the order screen to decrypt it..


http://www.php.net/mcrypt


But be very very careful storing card data, just encrypting it is not always enough,

https://www.pcisecuritystandards.org/

[infocom]

Thanks. Does anyone know whats involved implementing this in Zencart, has anyone done it?

[infocom]

Also, are there any definite guidlines/rules on this anywhere online I can send my client to? I cant seem to find anything that clearly states "you need to delete cvv numbers after processing" or "you must not store cc details unencrypted". That sort of thing. The websites I have found are quite vague and the ones I have found that state this are forums and just people saying it with no legal link from the cc companies to back it up.

So for example this site does not state either of the above:-
https://www.pcisecuritystandards.org/tech/index.htm

It states "Protect stored cardholder data" which I find a bit vague. Nothing about deleting cvv numers after processing.

Thanks

[infocom]

Actually I delved a bit firther, this specification does elaborate on the above and states you cannot store CVV data so this may be good to show the client:-
https://www.pcisecuritystandards.org...i_dss_v1-1.pdf

[the_ancient]

Also, are there any definite guidlines/rules on this anywhere online I can send my client to? I cant seem to find anything that clearly states "you need to delete cvv numbers after processing" or "you must not store cc details unencrypted". That sort of thing. The websites I have found are quite vague and the ones I have found that state this are forums and just people saying it with no legal link from the cc companies to back it up.

So for example this site does not state either of the above:-
https://www.pcisecuritystandards.org/tech/index.htm

It states "Protect stored cardholder data" which I find a bit vague. Nothing about deleting cvv numers after processing.

Thanks

There are 2 things in play,

In the USA, legally you must follow PCI standards, it is illegal not to... the PDF you linked to says more than "you cant store cvv" it is the full security standard that says what can and cant be stores, and how it must be stored

a brief over view is

a> All customer data must be encrypted
b> All Access to Customer Data must be tracked per user
c> there are many hosting requirements, be sure to check with your host to see if the plan your client has meets PCI standards as well



While it may not be illegal in the UK, I can ensure you that your client will violate his merchant agreement if he does not follow PCI, every major card company required PCI compliance of their merchants, failure to meet PCi can result in the merchant account being suspended, and if it is suspended for security reason no other company will give your client a new account...

Plus storing card data can open you up to extreme civil liability, at least here in the USA, Just ask TJ MAxx

[infocom]

Thanks for that.

What if you have a UK site and you are selling to US customers, so they are entering CC details on a UK site? This is what is happening on this site. I suppose you have to follow UK law where the business is located?

Also...

a> All customer data must be encrypted

When you say all customer data must be encrypted, do you mean cc data? Because Zencart does not encrypt normal customer data (name, address etc.) nor does it encrypt the cc data that it does store. The only thing it does is prevent storage of cc numbers by splitting it to an email.

[Tech-E]

@the_ancient, I think you are mistaken about this.

There is a difference between being illegal and in violation of PCI standards. It is not illegal to be in violation of PCI standards. PCI standards are a "best practices" approach that may be required by some credit card companies.

Most shopping carts do not encypt customer names, addresses, etc., in their databases, although it may be a good idea to do so given the data security laws with states such as California.

I have worked on many e-commerce sites and I have never seen one that fulfills all of the PCI requirements.

Personally, I think it is insane to store credit card info that can be unencrypted and displayed in an Admin area. Admin passwords can be broken. Yet, I have seen many e-commerce systems that do allow credit card details to be displayed. I cringe every time I see this.

[infocom]

Well thats the thing... they use Cyberstrong eShop which although encrypts the data in the Access database, you can see it all unencrypted in the Admin area. Even the CVV number. You can also download the eShop Access database by going directly to it in the browser (if you knew the path) and this does not require a password to open.

So I am trying to convince them to use Zencart and have the split number sent to an email address to improve this, but they are so used to clicking a link to see all the cc details in their Admin they dont want to change. They also think having a SSL prevents all these issues, so they have been miseducated.

So I am hoping these standards convince them they should change their system.

Thanks

[Tech-E]

Part of the difference between the USA and the UK is that in the US we do not have "loser pays" laws. Anyone can sue anyone for any reason in civil court. Lawyers jump on security breaches, especially if it is with a big company with deep pockets.

We have class action suits in the USA where lawyers can sue on behalf of large groups of customers (the class) without their acknowledgment or agreement. The class participants usually each get a pittance in the settlement, while the lawyers make millions.

I agree that there is a huge potential civil liability if you have a breach that exposes credit card numbers or you are caught storing CVV numbers. Those are the big issues. You will very likely lose your credit card agreement and could possibly get hauled into court with a civil suit. The civil suit usually depends upon how large or wealthy your company is. In some states with data security laws, it could be a criminal issue as well.

@infocom, I think you need to have the customer investigate any legal liability with their attorney. In the USA, identity theft has become rampant and it is driving states to pass data security laws. I don't know where the level of concern is in the UK.

Using an Access database to store sensitive information. E-e-e-e-e-eeK!