Results 1 to 17 of 17
  1. #1

    Storing Credit Cards - PCI Certified?

    I have an e-commerce site that I will be hosting with ************.com. The database is MS SQL 2005 and in a shared environment. They have a secure environment, with firewalls, etc. Can I legally store credit card information in my database? Storing credit cards is an absolute requirement for my site and I am going through authorize.net. Thanks in advance for any information on this.

  2. #2
    Join Date
    Aug 2003
    Location
    Chesapeake, VA
    Posts
    3,379
    If you are hosting in a shared environment on a database server shared by multiple users, PCI compliance is going to be very difficult to achieve.

    The PCI certification & validation process looks into all aspects of your e-commerce application. It starts with the physical security that exists at the location - is there two-factor authentication (i.e. PIN + biometric or ID + PIN, etc.), what kind of physical safeguards exist. It goes into network topology - are you segregating one application per server? What kind of encryption is being used? How frequently are keys changed? What kind of security policy manual do you have? And the list goes on and on... even requiring penetration testing now for applications. PCI compliance is definitely a non-trivial task for a merchant who wants to store cardholder data.

    An easier approach may be to instead utilize a PCI-compliant gateway that can store your cardholder data for you and then build your software to interact with it remotely. This way, you can still have the benefits of being able to charge your customers at any time - without the exposure of actually storing the data yourself.

    Also, if you are interested in looking into more specifics about what is required for PCI compliance, here is a link to the Visa PCI/CISP Web site:
    http://usa.visa.com/merchants/risk_management/cisp_overview.html?it=c|/merchants/risk_management/cisp.html|How%20to%20Comply#anchor_2

    Hope that info is helpful!
    CDGcommerce.com - Trusted Merchant Account Solutions since 1998
    Many thousands of successful, growing businesses benefit from our expertise every day. You can, too!
    We help merchants to eliminate gateway costs, reduce & mitigate fraud and achieve streamlined PCI compliance.
    Learn more today at http://www.cdgcommerce.com - we look forward to helping your business grow!

  3. #3
    Join Date
    Feb 2004
    Posts
    634
    As CDGcommerce said, it will be next to impossible to be fully compliant in a shared database environment. Authorize.Net does allow you to store the card details on their servers and remove that liability from your own environment; they call it the "Customer Information Manager" and I believe it's an additional $20/mo for that feature.

  4. #4
    Thanks for all of the information. I would really prefer to store the data myself, so it looks like I will have to move out of a shared environment and pay more. Hopefully a VPS solution will be ok, I will have to look into this as well as make sure the hosting provider is compliant.

  5. #5
    Also, does anyone have experience with storing their customers' credit cards on authorize.net? Does it work well? Can a customer store multiple credit cards, where when they go to check out they can select from multiple credit cards they have on file? Thanks for any input.

  6. #6
    Join Date
    Apr 2008
    Location
    Portland, ME
    Posts
    117
    Under no circumstances should theses items ever be written to disk and should not be stored in memory past the time when the authorization for the transaction is requested.
    1) Full contents of the Magnetic Stripe

    2) Card Security Code ( CVV2, CVC2 or CID)

    3) PIN and/or PIN Block



    The other four can be stored but must be encrypted

    4) Credit Card Number

    5) Cardholder Name

    6) Expiration Date

    7) Service Code

  7. #7
    Join Date
    Aug 2003
    Location
    Chesapeake, VA
    Posts
    3,379
    The above is all correct but keep in mind that encryption [b]by itself[/i] is not enough. You need to also follow all of the other PCI guidelines as well.

    This is very important because even if you encrypt your CC data, if there are means by which the application, the server, the network or physical access to any/all of the above can be compromised or are otherwise vulnerable - the encryption by itself won't prevent a security breach.
    CDGcommerce.com - Trusted Merchant Account Solutions since 1998
    Many thousands of successful, growing businesses benefit from our expertise every day. You can, too!
    We help merchants to eliminate gateway costs, reduce & mitigate fraud and achieve streamlined PCI compliance.
    Learn more today at http://www.cdgcommerce.com - we look forward to helping your business grow!

  8. #8
    What are the chance of actually getting audited for PCI certification? I understand it is in everyone's best interest to protect card holder's data, but if it is a small site, with only a few credit cards, it would be a big hastle (and expensive) to ensure PCI certification. I know it is the right thing to do, but I'm just wondering how many companies are actually audited for this. Does anyone have an idea of how this PCI Certification auditing works?

  9. #9
    Join Date
    Apr 2008
    Location
    Portland, ME
    Posts
    117
    Hi Blugold19,

    I'd love to provide some clarity for you. What size business are you?
    If you are you're a smaller start-up , you would be considered a Level 4 merchant.

    The requirement for Level 4 is:
    1) Quarterly scans by an approved vendor - Cost: Typically $120 to $240 per year
    2) Answering the PCI Self Assessment Questionnaire - Cost: Your time

    Currently there is no requirement of a Level 4 merchant to prove they've done the above two items; unless they have experienced a data breach. Should that occur, they would then be open to penalties, fines and an on site audit. The latter would probably cost you between $10,000 and $15,000.

    >> I'm just wondering how many companies are actually audited for this
    All Level 1 companies must be audited as well as anyone who has experienced a data breach. In the U.S., Visa has identified under 500 companies that are Level 1.


    >> Does anyone have an idea of how this PCI Certification auditing works?
    A qualified PCI Auditor spends time at your data center(s), typically one to three days, running tests to ensure you are compliant with all defined security points of the PCI document.

    For more information, pcicomplianceguide.org is a great resource.

    Take care,

    Erin
    Last edited by e-onlinedata support; 05-07-2008 at 02:56 PM.

  10. #10
    Thanks Erin.

    We will be a small auction site at first, so I'm assuming we'd be level 4 (couldn't say how much revenue, probably around $100k). I think it would make most sense for us at first to be as secure as possible in our shared database environment, and then as we get bigger, we will move to a dedicated database environment and focus more on the PCI certification.

    Thanks,
    Tony

  11. #11
    Join Date
    Apr 2008
    Location
    Portland, ME
    Posts
    117
    You're welcome Tony! Good luck with your launch. Keep us posted.

  12. #12
    you can store credit card info's except CVV2(CSN) or PIN in the database
    , but they should be encrypted

  13. #13
    Join Date
    Sep 2001
    Location
    Seattle, WA
    Posts
    3,084
    Quote Originally Posted by e-onlinedata support View Post
    The requirement for Level 4 is:
    1) Quarterly scans by an approved vendor - Cost: Typically $120 to $240 per year
    2) Answering the PCI Self Assessment Questionnaire - Cost: Your time

    Currently there is no requirement of a Level 4 merchant to prove they've done the above two items;
    From what I've read, Level 4 merchants are only required to have quarterly scans if their acquiring bank requires them. Not all banks require this.
    Jim Reardon - jim/amusive.com

  14. #14
    Join Date
    Dec 2006
    Location
    Baltimore
    Posts
    19
    Check out qualys. The have a good tool for doing scans for PCI compliance.

  15. #15
    The baseline is that no mather your transaction amount, encrypted or not encrypted, you are required to be PCI compliant.

    Not doing this the right way puts you in danger of being liable for fees of 10.000 usd and up. (actually is stated penalty fees of 500.000 usd)

    Also due to how the US legal system, you would also also be liable for unknow amounts due to sivil suits...
    Offering cost effective Open Source Software modification and customization aswell as Webshop template designs and modifications

  16. #16
    Join Date
    Aug 2003
    Location
    Chesapeake, VA
    Posts
    3,379
    Amusive is correct in that the Level 4 merchant requirements can vary from one acquirer to another.

    For instance, I know of one Internet merchant processor who more or less twisted the actual Visa/MC requirements to justify charging ALL of their Internet merchants a $19.95/month "PCI compliance fee." This is clearly NOT something that Visa or MasterCard are requiring so if in doubt - it is a good idea to check with your individual merchant acquirer as to what their specific policy is on this.
    CDGcommerce.com - Trusted Merchant Account Solutions since 1998
    Many thousands of successful, growing businesses benefit from our expertise every day. You can, too!
    We help merchants to eliminate gateway costs, reduce & mitigate fraud and achieve streamlined PCI compliance.
    Learn more today at http://www.cdgcommerce.com - we look forward to helping your business grow!

  17. #17
    Join Date
    Sep 2001
    Location
    Seattle, WA
    Posts
    3,084
    I know the thread is a bit old, but this is pretty cool: Softlayer announced free PCI scanning for SoftLayer servers.
    http://www.softlayer.com/press_2008_06_24.html

    If you are with a provider that requires PCI compliance, this would save you anywhere from $120-$300+ a year.

    I happened to notice it in the control panel while looking for the monitoring section, and when searching found out they announced it today.

    Pretty nice!
    Jim Reardon - jim/amusive.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •