My client wants to Store Credit Card numbers encrypted in the database on the server

[infocom]

Also, are there any definite guidlines/rules on this anywhere online I can send my client to? I cant seem to find anything that clearly states "you need to delete cvv numbers after processing" or "you must not store cc details unencrypted". That sort of thing. The websites I have found are quite vague and the ones I have found that state this are forums and just people saying it with no legal link from the cc companies to back it up.

So for example this site does not state either of the above:-
https://www.pcisecuritystandards.org/tech/index.htm

It states "Protect stored cardholder data" which I find a bit vague. Nothing about deleting cvv numers after processing.

Thanks

[infocom]

Actually I delved a bit firther, this specification does elaborate on the above and states you cannot store CVV data so this may be good to show the client:-
https://www.pcisecuritystandards.org...i_dss_v1-1.pdf

[the_ancient]

Also, are there any definite guidlines/rules on this anywhere online I can send my client to? I cant seem to find anything that clearly states "you need to delete cvv numbers after processing" or "you must not store cc details unencrypted". That sort of thing. The websites I have found are quite vague and the ones I have found that state this are forums and just people saying it with no legal link from the cc companies to back it up.

So for example this site does not state either of the above:-
https://www.pcisecuritystandards.org/tech/index.htm

It states "Protect stored cardholder data" which I find a bit vague. Nothing about deleting cvv numers after processing.

Thanks

There are 2 things in play,

In the USA, legally you must follow PCI standards, it is illegal not to... the PDF you linked to says more than "you cant store cvv" it is the full security standard that says what can and cant be stores, and how it must be stored

a brief over view is

a> All customer data must be encrypted
b> All Access to Customer Data must be tracked per user
c> there are many hosting requirements, be sure to check with your host to see if the plan your client has meets PCI standards as well



While it may not be illegal in the UK, I can ensure you that your client will violate his merchant agreement if he does not follow PCI, every major card company required PCI compliance of their merchants, failure to meet PCi can result in the merchant account being suspended, and if it is suspended for security reason no other company will give your client a new account...

Plus storing card data can open you up to extreme civil liability, at least here in the USA, Just ask TJ MAxx

[infocom]

Thanks for that.

What if you have a UK site and you are selling to US customers, so they are entering CC details on a UK site? This is what is happening on this site. I suppose you have to follow UK law where the business is located?

Also...

a> All customer data must be encrypted

When you say all customer data must be encrypted, do you mean cc data? Because Zencart does not encrypt normal customer data (name, address etc.) nor does it encrypt the cc data that it does store. The only thing it does is prevent storage of cc numbers by splitting it to an email.

[Tech-E]

@the_ancient, I think you are mistaken about this.

There is a difference between being illegal and in violation of PCI standards. It is not illegal to be in violation of PCI standards. PCI standards are a "best practices" approach that may be required by some credit card companies.

Most shopping carts do not encypt customer names, addresses, etc., in their databases, although it may be a good idea to do so given the data security laws with states such as California.

I have worked on many e-commerce sites and I have never seen one that fulfills all of the PCI requirements.

Personally, I think it is insane to store credit card info that can be unencrypted and displayed in an Admin area. Admin passwords can be broken. Yet, I have seen many e-commerce systems that do allow credit card details to be displayed. I cringe every time I see this.

[infocom]

Well thats the thing... they use Cyberstrong eShop which although encrypts the data in the Access database, you can see it all unencrypted in the Admin area. Even the CVV number. You can also download the eShop Access database by going directly to it in the browser (if you knew the path) and this does not require a password to open.

So I am trying to convince them to use Zencart and have the split number sent to an email address to improve this, but they are so used to clicking a link to see all the cc details in their Admin they dont want to change. They also think having a SSL prevents all these issues, so they have been miseducated.

So I am hoping these standards convince them they should change their system.

Thanks

[the_ancient]

Well thats the thing... they use Cyberstrong eShop which although encrypts the data in the Access database, you can see it all unencrypted in the Admin area. Even the CVV number. You can also download the eShop Access database by going directly to it in the browser (if you knew the path) and this does not require a password to open.

So I am trying to convince them to use Zencart and have the split number sent to an email address to improve this, but they are so used to clicking a link to see all the cc details in their Admin they dont want to change. They also think having a SSL prevents all these issues, so they have been miseducated.

So I am hoping these standards convince them they should change their system.

Thanks

1> Splitting the CC Number is not PCI Complaint Security, hell it can barely be considered "security" email is very insecure, I would not want any, even part, of my card number in a email....IMO this option should have been removed from OSC/Zen a long time ago


2. Why dont they use a Gateway, This is a standard way to process Credit Card over the net, they may want to check with the merchant provider as well, as some will not allow you to collect CC data and process the Data offline, Ecommerce and "phone" transactions must be handled differently

[Tech-E]

Part of the difference between the USA and the UK is that in the US we do not have "loser pays" laws. Anyone can sue anyone for any reason in civil court. Lawyers jump on security breaches, especially if it is with a big company with deep pockets.

We have class action suits in the USA where lawyers can sue on behalf of large groups of customers (the class) without their acknowledgment or agreement. The class participants usually each get a pittance in the settlement, while the lawyers make millions.

I agree that there is a huge potential civil liability if you have a breach that exposes credit card numbers or you are caught storing CVV numbers. Those are the big issues. You will very likely lose your credit card agreement and could possibly get hauled into court with a civil suit. The civil suit usually depends upon how large or wealthy your company is. In some states with data security laws, it could be a criminal issue as well.

@infocom, I think you need to have the customer investigate any legal liability with their attorney. In the USA, identity theft has become rampant and it is driving states to pass data security laws. I don't know where the level of concern is in the UK.

Using an Access database to store sensitive information. E-e-e-e-e-eeK!

[the_ancient]

Also you need to express to your client that storing CVV data has never been authorized, they may or may not get busted on the PCI right now as it is new, however if they are caught storing CVV data they will lose their merchant account and they account will be flagged and they will more than likly never be able to process Credit Cards again....

NEVER EVER EVER EVER EVER EVER EVER store cvv data

[the_ancient]

@the_ancient, I think you are mistaken about this.

There is a difference between being illegal and in violation of PCI standards. It is not illegal to be in violation of PCI standards. PCI standards are a "best practices" approach that may be required by some credit card companies.

Most shopping carts do not encypt customer names, addresses, etc., in their databases, although it may be a good idea to do so given the data security laws with states such as California.

I have worked on many e-commerce sites and I have never seen one that fulfills all of the PCI requirements.

Personally, I think it is insane to store credit card info that can be unencrypted and displayed in an Admin area. Admin passwords can be broken. Yet, I have seen many e-commerce systems that do allow credit card details to be displayed. I cringe every time I see this.

Jan 1 2008 all merchants were REQUIRED to be compliant with PCI, before that it was optional

PCI has differant levels for different ranges of Transaction, and you only have a be compliant if you store the CC data, most stores done, so they dont have to worry, but if you are staring number after jan 1 2008 you better be PCI compliant or face Fines or Suspension of your CC processing Privileges