Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

OsC CCard No. Storage Legallity in UK

krisp

By krisp
in General Support

Recommended Posts

krisp

krisp

Posted
Posted

Hi Guys,

 

Just had a thought.... is it actually legal to use oscommerce out of the box storing credit card data unencrpted on a server (specifically in the UK).

 

Any Thoughts? I realise that you guys aren't my lawyers - but it'd be handy to know...

kymation

♥kymation

Posted
Posted
Hi Guys,

 

Just had a thought.... is it actually legal to use oscommerce out of the box storing credit card data unencrpted on a server (specifically in the UK).

 

Any Thoughts? I realise that you guys aren't my lawyers - but it'd be handy to know...

I'm not anybody's lawyer, but my understanding is that it is legal but inadvisable, at least in the USA. However, both Visa and MasterCard have strict requirements about storing cc numbers, and osCommerce would not meet their encryption requirements. It's certainly safer to just not do it.

 

If you are seriously considering storing cc numbers online, check with your bank, Visa, M/C, etc for their requirements before you start. Then get a good lawyer to advise you. A real one.

 

Regards

Jim

See my profile for a list of my addons and ways to get support.

SpeedRacerSlots

SpeedRacerSlots

Posted
Posted

New to the boards here, and dont want to step on toes, but the post by kymation is inaccurate.

Krisp is 100% correct.

 

I deal with CC processing on a daily basis globally for my day job.

 

Dont want to scare anyone, but here's the scoop.

Per MasterCard and Visa regulations and their associated PCI (Payment Card Industry) guidelines, any system that accepts, processes, stores or transmits CC data in a "card not present" environment (ie: the internet or eCommerce transactions) must protect the data at all times, especially when stored.

That means for you or your store to be "compliant", you cannot store credit cards in an unencrypted form.

You are also not permitted to accept credit cards without having the connection encrypted (ie: under SSL).

 

For more information, you can go to: http://www.visa.com/cisp

You should pay attention to the following:

* PCI Data Security Standard

* Go to the VIEW ALL PCI DOWNLOADS, then also read:

* PCI Security Audit Procedures

* PCI Self-Assessment Questionnaire

* What to do if compromised

 

Should card numbers be heisted from your site or DB, you (the store operator) are then liable if the cards are used fraudulently, and there are fines associated with it as well.

 

PCI guidelines are mandatory for merchants (those that accept and process cards) in the US.

PCI guidelines are recommended for EU merchants at this time, however they (MasterCard and Visa) have international guidelines on their International AIS (Account Information Security) site at: http://corporate.visa.com/st/programs.jsp

 

Now then....

Because of my hobby being a small operation and not having the resources to properly handle eCommerce credit card transactions off my hobby shop's online site, I use PayPal exclusively. If the customer still wants to use a CC, they can use their CC on the PayPal end of the transaction.

Guest

Guest

Posted
Posted

Also dont forget, if your storing credit card numbers in the DB, then that probably means you are going to be processing them offline.

 

Most banks that provide the card processing machines for you to use in your shop, wont allow you to use them for online orders. For taking orders in a shop you will have a merchant account, even if that merchant account allows cardholders not present (mail order) transactions it probably wont allow you to take internet orders without an Internet Merchant account on top of your normal merchant account. That is of course unless you have done a deal with your bank/supplier to allow it. :)

 

You can always use systems like worldpay, securepay etc to take orders online for you and take away the hassle of storing CC numbers.

SpeedRacerSlots

SpeedRacerSlots

Posted
Posted

hotnuts is correct.

I wasnt even going to go into the legal aspects of the merchant accounts itself....

 

there are different merchant agreements for your physical point of sale world (where you may have a card swiper or keypad device) and most (i would say 99%) of the merchant agreements you signed dont cover eCommerce secnarios.

Most of the card processing companies that handle the business for smaller companies that process less than $1million/year require separate merchant accounts just for the online part of the business.

Terra

Terra

Posted
Posted

For UK, I'd recommend Protx - it integrates well with osCommerce and the card processing / card storing is taken care of by Protx. You do need a mearchant account though.

 

Also agree with the posts above - storing / processing CC details is serious business and unless you're a bigger company, it might just not be worth the effort. Don't do it and think "it'll be okay" - if anything does go wrong and you're in breach of your agreements, your business will be dead.

 

all the best, Terra

My code for combining PayPal IPN with ** QTPro 4.25 ** osC Affiliate ** CCGV(trad)

and how to solve the invoice already paid error

General info: Allow customer to delete order comment ** FTP Programs & Text Editors ** Amending order email **

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...