Results 1 to 5 of 5
  1. #1
    Join Date
    Sep 2004

    Automatic CC Processing or not?

    Hey gang!

    I thought I would see if I could get some honest opinions on what you feel is the best business solution the provides the most security when it comes to billing customers - either input or automatic.

    Basically I know many host prefer to set the system up to automatically bill their clients per their anniversary date depending on the lease time agreed upon (ie, monthly, quarterly, etc).

    I have also found providers that instead of automatically will send out the invoice requesting the client to login and pay for their service.

    I know the first is easier on the client but I would think would hold a greater security threat not only to the client but to the provider if the system happens to be hacked and the cc #'s stolen. I know for example MB encrypts their cards with a 4 digit pin - but from what I have heard - it's not too hard for a hacker to locate that pin and have complete access to your cc info.


    Would it be safer to go the second avenue? This would keep the CC's from being stored on your server and thus - providing a greater level of security for your clients and your company.

    Does client convenience out weigh security?

    Any ideas? Am I looking at this wrong?

  2. #2
    Join Date
    Jun 2003
    Personally we've found it easier to store CC details and automatically process them however like your I was worried about the long term security of the billing database. With that in mind I ended up with hosted Ubersmith where they look after the server and even as an admin on the billing system I can only see the last 4 characters of the customers CC. I don't have to worry about the day to day security of the system as that is what I pay Ubersmith for

    It works as a decent comprimise for me
    Russ Foster - Industry Curmudgeon

  3. #3
    Join Date
    Jan 2004
    Boise, ID
    If you can pass the PCI Compliance you should be okay, but further steps you can take would be:

    Move your SQL Databases to a seperate server from your webserver.
    Install a Hardware Firewall
    Implement a "worst case scenario" plan in the chance that a compromise is found that shuts down the sql database, servers or both till the problem is resolved.

  4. #4
    Join Date
    Jul 2003
    Castle Pines, CO
    There are four levels of CISP compliancy - if you are storing numbers, you need to be compliant. That costs around $2.00. If you are hacked into and you are not compliant, you can be fined upwards of $10,000 or more and potentially lose your merchant account. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. Merchant level four requires Annual On-site PCI Data Security Assessment and Quarterly Network Scan. And it should be validated by the Merchant and an Approved Scanning Vendor.

    Electronic gateways also do not charge for recurring billing for the most part and you can use that feature. That way all the risk is away from you and your company

  5. #5
    Join Date
    Nov 2005
    host the database on a sql server, install Net Screen on a backplane network so that only the webserver can talk to the sql billing DB.
    This way if someone breaks into your network, netscreen would block the request. now the web server has to be secured.
    GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAS, or even across the internet

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts