Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Credit Card Storage


kieran_mullen

Recommended Posts

I understand when osing the authorize.net mocudle sotrage of the compelte credit card number is not needed.

 

Hwoever with the credit card module, one would assume that module would be used for offline processing.

 

Why then would the credit cards be stored with an XXXX as a security measure?

 

I can view it through an SSL. How can I make the script store a real number?

 

Is there any way to recover the numbers from orders already placed? I would assume not since I saw the same thing viewing the database directly.

 

Thank you

 

KieranMullen

Link to comment
Share on other sites

it is against the law to have all of the card numbers stored on an internet site. If you do store them and you get hacked you can be fined $50,000.00 for each card number stolen from your site..............Do you realy wanta do this?

Link to comment
Share on other sites

No but it is what the client wants.

 

Could you point me to this law so I can email it to them?

 

Thanks

KM

 

it is against the law to have all of the card numbers stored on an internet site. If you do store them and you get hacked you can be fined $50,000.00 for each card number stolen from your site..............Do you realy wanta do this?
Link to comment
Share on other sites

it is against the law to have all of the card numbers stored on an internet site. If you do store them and you get hacked you can be fined $50,000.00 for each card number stolen from your site..............Do you realy wanta do this?

 

I believe there is some confusion on the particulars of Visa's CISP program. You might want to get this information directly from Visa and skip the speculation.

 

http://usa.visa.com/business/accepting_vis...ement/cisp.html

http://usa.visa.com/business/accepting_vis...ement/cisp.html

http://usa.visa.com/business/accepting_vis..._providers.html

 

HTH,

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

No but it is what the client wants.

 

Could you point me to this law so I can email it to them?

 

Thanks

KM

you could be held liable also should you set this up for them.

Link to comment
Share on other sites

I guess my $50,000.00 has been updated to a much higher fine.

 

http://usa.visa.com/business/accepting_vis..._providers.html

 

Loss or theft of account information

 

Members, service providers or merchants must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.

 

If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.

 

If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.

 

Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.

Link to comment
Share on other sites

I guess my $50,000.00 has been updated to a much higher fine.

 

http://usa.visa.com/business/accepting_vis..._providers.html

 

Loss or theft of account information

 

Members, service providers or merchants must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.

 

If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.

 

If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.

 

Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.

 

And that's where the confusion comes in. This is from the Service Provider's info. I'm guessing there are exactly 0 SP's in this forum.

 

From the Merchant info most of us or our clients would be Level 4 Merchants processing less than 20000 transactions a year through our SPs (AuthNet etc).

 

http://usa.visa.com/business/accepting_vis...chants#anchor_2

 

As I read it the fines are for SPs. Overall, not an easy set of documents to interpret.

 

But, in the overall, your best bet is to let the gateway deal with the processing and storage of the card. Their resources (legal and material) far outstrip yours and it's what you're paying them for anyway,

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...