Results 1 to 13 of 13
  1. #1
    Join Date
    Feb 2006
    Posts
    318

    How to setup proper security

    Situation:
    We have someone that wants to change from their current hosting provider due to problems they are having. They currently have a shared home-made shopping on their providers server. When an order is placed, they receive and email with a confirmation number and the last 4 of the credit card number. They log into the cart with the confirmation number to get the remainder of the credit card number. Then they call in the information to the credit card company and if it verifies, they ship the product. That's also the process they want to maintain on our server. I do not intend to provide them with a shared shopping cart like they currently have since that would require me to write my own cart. I will have them purchase a commercial shopping cart, have their own certificate and IP.

    Concerns:
    My concerns are security of credit card information stored in the cart on the server. It seems obvious that the cart itself would need to have a way of encrypting the stored information. But then what about the server, their account, should I use a security audit service and whom? Best practices etc.

    Questions:
    1. Which shopping carts store this information in an encrypted manner? Do carts like say CS-Cart etc. store the information in an encrypted manner?
    2. What other precautions should be performed to make sure that there is no unauthorized use of the credit card information stored on the server?

    Thanks!

  2. #2
    Join Date
    Jul 2003
    Location
    Castle Pines, CO
    Posts
    7,189
    You should take a look at Cardholder Information Security Program for starters.

    Any reason why they are storing credit cards and processing them manually? I would get them to look into whatever gateway they are using and process the orders real time. This would be a lot safer and probably save a lot of time.

  3. #3
    Join Date
    Feb 2006
    Posts
    318
    Quote Originally Posted by Corey Bryant
    You should take a look at Cardholder Information Security Program for starters.
    That definitely looks like the place to start.

    Quote Originally Posted by Corey Bryant
    Any reason why they are storing credit cards and processing them manually? I would get them to look into whatever gateway they are using and process the orders real time. This would be a lot safer and probably save a lot of time.
    That ship has already sailed. The point of contact at the customer is the person getting paid to be on the phone all day with the credit card company for them and the 1-800 phone-in orders and made it quite clear that they wanted to manually process. People can also make a case for manual processing as fewer charge-backs etc., but that may be more than offset by the security risk that approach brings.

  4. #4
    Join Date
    Jul 2003
    Location
    Castle Pines, CO
    Posts
    7,189
    Well they will definitely think twice if they are not CISP compliant right now and they have a breach. The fines are pretty hefty and then some providers will also terminate their merchant account.

  5. #5
    Join Date
    Feb 2006
    Posts
    318
    Quote Originally Posted by Corey Bryant
    You should take a look at Cardholder Information Security Program for starters.
    After reading the self-assessment, I would have to say that even though our servers are inside of SAVVIS where half the banking industry is, I don't see how any hoster could make it through the checklist without having the servers physically at his location. Knowledge of the network, capabilities of the routing, security policies, maintenance logs on the server, etc. are simply not available to know if you are compliant. That means to me that it is very unlikely that where they are are CISP compliant, and that very few who are taking and storing the information on their servers are. You would need to be working directly with SAVVIS, not LayeredTech or Servstra, in order to determine if you are CISP compliant. This seems like it would pretty much rule out everybody except gateway providers.

    Quote Originally Posted by Corey Bryant
    Well they will definitely think twice if they are not CISP compliant right now and they have a breach. The fines are pretty hefty and then some providers will also terminate their merchant account.
    That's not what I wanted to hear, but something I needed to hear. It sounds like what you are saying is that I really need a gateway to be secure.

  6. #6
    Join Date
    Jul 2003
    Location
    Castle Pines, CO
    Posts
    7,189
    They do or become compliant. One of the other. If they are storing numbers and not compliant they are subject to fines and penalities. They don't have to have a breach to be fined - it basically happens if someone tells. And who they actually tlell.

  7. #7
    Join Date
    Feb 2006
    Posts
    318
    Quote Originally Posted by Corey Bryant
    They do or become compliant. One of the other. If they are storing numbers and not compliant they are subject to fines and penalities. They don't have to have a breach to be fined - it basically happens if someone tells. And who they actually tlell.
    It sounds to me that my only option is something like http://payecom.com/. I wonder, do web hosting companies have any liability in this if someone stores cc information on their servers? What about the web designer that sets them up?

    It looks like SAVVIS is a compliant data center and has a program to certify you every year, but I don't know how it works. It might be easier just to go with something like payecom.com.

    Thanks!
    Last edited by IT_Architect; 01-04-2007 at 08:38 AM.

  8. #8
    Join Date
    Feb 2006
    Posts
    318
    When I read the CISP requirements, it seems that CISP does not apply to companies that do less than 20,000 transactions per year. Is that right?

  9. #9
    Join Date
    Jul 2003
    Location
    Castle Pines, CO
    Posts
    7,189
    You have a ton of options available to you. There are over 90 gateways that I know of that will process transaction online in realtime so you do not have to stroe credit card data.

    CISP though has 4 different levels that usually include an Annual On-site PCI Data Security Assessment and Quarterly Network Scan.

    PayeCom seems like most of the other gateways - and if you are in the United States, you have a number of them to choose from:
    • CREDIT LINE - Nashville, 4000
    • DATACAP - Nashville, 4000
    • Digital Dining - Nashville, 4000
    • DPOS - Omaha, 4010
    • I.C. VERIFY - Omaha, 4010
    • IBILL - Nashville, 4000
    • IC Verify Purchase Card Level II & III - CardNet, 206
    • IC Verify/VAR - CardNet, 206
    • IC-VERIFY DOS - Nashville, 4000
    • IC-VERIFY WINDOWS - Nashville, 4000
    • Image Tech / Visual Matrix - Nashville, 4000
    • IPN/Aloha/VAR - CardNet, 206
    • IPN/PC Charge/VAR - CardNet, 206
    • LP Virtual Terminal - Nashville, 4000
    • MAC AUTHORIZE - Omaha, 4010
    • MERCHANT MASTER - Omaha, 4010
    • MICROS 2700 / 3700 / 4700 / 8700 - Nashville, 4000
    • PAYLINX - Nashville, 4000
    • PC AUTHORIZE - Omaha, 4010
    • PC CHARGE - Omaha, 4010
    • PC-AUTHORIZE WINDOWS - Nashville, 4000
    • PC-CHARGE / NASHVILLE - Nashville, 4000
    • PTC - Omaha, 4010
    • SABLE - CardNet, 206
    • SHIFT 4 $$$ IN THE BANK - Nashville, 4000
    • Southern Datacom / Protobase - Nashville, 4000
    • SQUIRREL - NATIVE - Nashville, 4000
    • SQUIRREL - VISA - Nashville, 4000
    • TRANSACTION PLUS - Nashville, 4000
    • USA E PAY - Nashville, 4000
    • VAR - CardNet, 206
    • ANACOM - Nashville, 4000
    • API/Virtual/Basic - Nashville, 4000
    • AT & T - Nashville, 4000
    • AUTHORIZE NET - Nashville, 4000
    • Bookkeeper / Lkpt Gtwy - Nashville, 4000
    • CC HOSTING ENGINE - Nashville, 4000
    • CYBERSOURCE - Nashville, 4000
    • DIRECT LINK - Nashville, 4000
    • HTML & VIRTUAL LINKPOINT - Nashville, 4000
    • IC_VERIFY INTERNET DIAL - Nashville, 4000
    • INTELLIPAY - Nashville, 4000
    • Jettis - Omaha, 4010
    • LINKPOINT API & VIRTUAL LINKPOINT - Nashville, 4000
    • LinkPoint Cart - Nashville, 4000
    • LINKPOINT GTWY (SWIPED) - Nashville, 4000
    • LPAP / VLP / SCRUB - Nashville, 4000
    • LYCOS-1 - Nashville, 4000
    • LYCOS-2 - Nashville, 4000
    • NET BILLING - Nashville, 4000
    • NETSCAPE - Nashville, 4000
    • ORBIT PAYLINK - Nashville, 4000
    • PAYCOM - Nashville, 4000
    • PAYMENT NET - Nashville, 4000
    • PC-CHARGE INTERET DIAL - Nashville, 4000
    • PURE PAYMENT / IMALL - Nashville, 4000
    • RODOPI GATEWAY - Nashville, 4000
    • RODOPI PAYMENT GATEWAY - Nashville, 4000
    • TELECHARGE IVR - Nashville, 4000
    • VERISIGN LINK - Nashville, 4000
    • VERISIGN PRO - Nashville, 4000
    • VIRTUAL CHECK - N/A
    • VIRTUAL LINKPOINT - Nashville, 4000
    • YAHOO - STORE - Nashville, 4000
    • YAHOO GATEWAY - Nashville, 4000
    but you would still need a merchant account as well. The gateway only connections you to the transaction processor (usually First Data or Nova) and they will either authorize the transaction or send it off to the card association.

  10. #10
    Join Date
    Jul 2003
    Location
    Castle Pines, CO
    Posts
    7,189
    Quote Originally Posted by IT_Architect
    When I read the CISP requirements, it seems that CISP does not apply to companies that do less than 20,000 transactions per year. Is that right?
    That is merchant level 4
    Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year
    Which a Self-Assessment Questionnaire is recommended annually and a network scan required quarterly.

  11. #11
    Join Date
    Feb 2006
    Posts
    318
    Quote Originally Posted by Corey Bryant
    You have a ton of options available to you. There are over 90 gateways that I know of that will process transaction online in realtime...
    I don't understand your response. Ibill is a sex site that was implicated in a breach, Nashville 4000 is a used car lot, AuthorizeNET is a real-time gateway, and Payecom is not real-time. Non-real-time is what the customer wants.
    Last edited by IT_Architect; 01-04-2007 at 10:13 AM.

  12. #12
    Join Date
    Jul 2003
    Location
    Castle Pines, CO
    Posts
    7,189
    Sorry I really did not ready through their entire site I just read that they are a gateway. I just gave you other gateways.

    If you are looking for a gateway to store number, you might talk to CDGCommerce, I think he might have a solution. I am not familiar with Payecom and cannot give reference to that one.

  13. #13
    Join Date
    Feb 2006
    Posts
    318
    Quote Originally Posted by Corey Bryant
    Sorry I really did not ready through their entire site I just read that they are a gateway. I just gave you other gateways.
    Manual gateways are rather rare it seems. But I do have a couple that I can use that are well liked by a guy on this forum. The companies are from Australia, but for one of them, their servers are in New Jersey. I will talk to the customer about using them. Storing that stuff on our servers doesn't make sense unless we go into this in a big way even though both data centers we have our servers in are CISP/PCI certified networks.

    Thank you for your information. You've been very informative not only on this thead, but many others I've read while trying to choose a shopping cart. I actually search for your posts. You are obviously well versed in E-Commerce.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •