storing cc numbers, pci compliance, and CIM oh my

**elastic** · 14 May 2008, 09:08 PM

Hi all you Brilliant Zenners,

I have a doozy of a question for you. A customer wants to store credit cart info online. and be compliant with the new standards.

so, in order to do this, I was thinking:

using AIM module
1. drop out the full number before it is even sent to the payment gateway
2. put in a sql table
3. encrypt it with mod 5 hash
4. decrypt it on the checkout and customer information screens

OR and this is probably smarter:

has anyone out there developed a module that will work with CIM? I am reading up on this now, and authorize dot net is really pushing this as the best way to store cards. if anyone has written this mod, please PM me. I'm interested...

any thoughts, tips, suggestions would be very useful.

**Merlinpa1969** · 14 May 2008, 09:47 PM

Explain to your client that storing CC numbers is a headache that is really NOT worth it,

IF they are going through the gateway then there is NO need for them to ever store cc numbers.........

I see a headache and it says excedrin ALL over it

**elastic** · 14 May 2008, 10:15 PM

I agree with you. I am really leaning away from it. CIM is a method authorize dot net is pushing, and I think it may be worth the 20 bucks a month for their piece of mind.

that being said, anyone out there know about CIM yet? its fairly new. here's what the authorize dot net website says:

Customer Information Manager (CIM) – API Guide
The Authorize.Net Customer Information Manager (CIM) allows merchants to create customer profiles that are stored on Authorize.Net’s secure servers. By providing quick access to stored customer information, CIM is ideal for businesses that:

blah, blah, stuff that applies to me

~Are concerned with PCI compliance.
~Want to provide returning customers with the convenience of not having to re-enter personal data.

The CIM API supports integration with a Web site payment form or a proprietary business application. The profiles, which include payment and shipping information, can then be referenced in future transactions, eliminating steps in the transaction process for repeat customers and potentially increasing customer loyalty.

there is an XML and a SOAP api guideline. i guess i'm gonna have to roll up my sleeves and just do this. BUT I'm going to wait and see if someone else has. again, PM me, I am totally interested in connecting with you if you've a way around this already...