I am creating a site that will be used to hold information about customers and their credit cards. I will not be storing or processing PAN (Primary account numbers) in any way, so I know PCI-DSS (Payment Card Industry - Data Security Standards) do not apply. But does anyone know of any regulations regarding storing customer data in a database?

The Data Protection Act is a bit vague - I can't seem to find information regarding specifics. For instance, I've been told that if you are holding customer data it needs to be on a seperate server to the website. Is this true?

Does anyone know of any specific documents / standards regarding storing customer information entered through the web?

Any help would be appreciated. Thanks.

AFAIK you're not allowed to store CVV2 numbers in your database.

I used to have the documentation but can not seem to find it. I do know that you are not allowed to store CVV2 as DigitalLinx mentioned. All credit card information must be encrypted and the database must be on a separate server. PCI wants one service only when it comes to card holder information. So just web on the web server and just mysql on the mysql server. Also the web server network and the mysql network must be separated by a firewall, at least for level 1.

Here is a link I found in my favorites.

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

I used to have the documentation but can not seem to find it. I do know that you are not allowed to store CVV2 as DigitalLinx mentioned. All credit card information must be encrypted and the database must be on a separate server. PCI wants one service only when it comes to card holder information. So just web on the web server and just mysql on the mysql server. Also the web server network and the mysql network must be separated by a firewall, at least for level 1.
People don't use that though, believe me I worked in a DC for 2 years and sometimes I had to migrate ecommernce sites along with databases and couldn't help noticing all those people's credit card information flashing before my eyes along with CVV2 numbers also directories full of people's picture ID's even SSN numbers, it's really sad if all those people's information are exposed if their server isn't secure. Think that people who do really need to store that kind of sensitive information should be audit regularly by a proper authority like idk the IRS lol.

Yeah I know they do not use it. Level 1 must as they do get audits. Its the others that can get away with it.

Can I ask what you mean when you say "level 1"?

Thanks.

People don't use that though, believe me I worked in a DC for 2 years and sometimes I had to migrate ecommernce sites along with databases and couldn't help noticing all those people's credit card information flashing before my eyes along with CVV2 numbers also directories full of people's picture ID's even SSN numbers, it's really sad if all those people's information are exposed if their server isn't secure. Think that people who do really need to store that kind of sensitive information should be audit regularly by a proper authority like idk the IRS lol.

I don't understand this post; if you are following PCI compliancy you will need to have audits from companies which are allowed to do this on a very regular interval. There are plenty of companies offering these audits and they are often also able to assist the OP in becoming compliant. But dont take this lightly if you are just a starting company you may want to use a payment gateway instead of becoming PCI compliant yourself.

Back to the OPs question:
But does anyone know of any regulations regarding storing customer data in a database?

I believe this would be related to privacy laws, these are different everywhere, so can't give you a solid answer on this.

Just to clarify, as I mentioned in my original post: The company I am building the site for is NOT storing PAN numbers. Therefore PCI-DSS do not apply. This is a question regarding security and laws of storage of other customer data (No direct Credit Card Numbers/identifying information will be stored/proccessed). However, Name, address, tel, card issuer (and possibly start and end dates of Credit Cards), mothers maiden name will be stored.

All other Credit Card information will be processed by hand on paper through the post - so I do not need to worry about that. What I am concerned with is the Data Protection Act and how to uphold it in regard to storage of the data mentioned above.

Thanks

Data Protection Act / Equivalents

I don't understand this post; if you are following PCI compliancy you will need to have audits from companies which are allowed to do this on a very regular interval. There are plenty of companies offering these audits and they are often also able to assist the OP in becoming compliant. But dont take this lightly if you are just a starting company you may want to use a payment gateway instead of becoming PCI compliant yourself.

Back to the OPs question:


I believe this would be related to privacy laws, these are different everywhere, so can't give you a solid answer on this.

I don't know if those clients were PCI compliant I was just pointing out that some ecommerce sites don't follow common sense security rules to protect other people's sensitive information storing everything on one server.
And from a client point of view you can't know how a website stores your personal/sensitive information nor if they're PCI or not.

Hi Lord Webby,

You can find the card regulations here:
http://usa.visa.com/merchants/risk_management/cisp_merchants.html

all our payments are handled by protx , its not good business to store customers card information , especially if you dont have to.