tags:

views:

419

answers:

6
+10  Q: 

Online Credit Card Storage?

I am about to inherit and work on a small business retail website that is very poorly designed. Among other things, the greatest concern is with the current credit card processing.

Currently, the owner retrieves credit card information (name, number, CVV2 and expiration date) from an online order form and saves all of that information in plain text within a MySQL database. A notification then gets sent to his email that someone has ordered. Thereafter, he has an administrative back-end page that he views the orders and credit card information which he uses to process offline with his own merchant.

After retrieving the information from the back-end page, the credit card number and CVV2 is immediately deleted (PHP script automatically called). The information is also deleted if that page is not accessed within 7 days. So, there is a potential for all of the information to be in the database in plain text for seven days before transaction processing.

This does not seem like a good design and may be illegal. If it is illegal, I am going to have to break this to him, because he does not realize that yet.

My question: Besides being insecure, is this illegal or a violation of terms of use (PCI DSS)? And, if so, how can I prove it to him so that he will allow me to change his ways (obviously, I don't want to put my hands into something that is illegal. Also, sometimes the wording of terms of use can seem subjective)? Finally, what are the best options for fixing this issue (3rd party online merchant, becoming PCI DSS compliant, or something else)?

I realize this is a loaded question and thank you very much in advance,

Steve

A: 

It is definitely a violation of PCI rules. However, it shouldn't be that hard to add encryption to the stored data, especially if it's rare a human will have to look at it.

Having worked for a third party credit card transaction processing company, I highly recommend it if their system is that bad. However, you'll still need to encrypt that information, or not store it at all after it's sent to the TPP. The TPP really works for the merchant, so they can help you with any compliance issues and help you get the best interchange rates.

dj_segfault  2010-02-10 22:13:30
+1  A: 

There are lots of third party payment providers for you that will deal with all security and compliance issues.

For any small to medium businesses this is one function that should definitely be outsourced to those with expertise.

DanSingerman  2010-02-10 22:16:06
+11  A: 

That is a violation of PCI DSS. Not only are you storing information you aren't supposed to be storing (CVV) but you're not encrypting the credit card number (also a violation).

Even worse he is violating Visa and MasterCard guidelines which state that all online transactions must be processed using an ECI compliant device or software and Internet orders must have a separate merchant account. Their credit card terminal is definitely not ECI compliant as none are. They need to get a new merchant account and use a payment gateway like Authorize.Net to process these orders.

Edit

Since I doubt the webbsite owner will actually bother to get a new merchant account or implement a payment gateway your best bet is to use two way encryption to store this information. Then make sure the page they use to retrieve the credit card information is encrypted (SSL cert) so the information is secure from end-to-end.

I highly recommend getting an Internet merchant account and using a payment gateway like Authorize.Net. Besides being PCI and ECI compliant and just the smart way to go, the potential for the business to not only lose their merchant account but to be blacklisted and prohibited from ever have a true merchant account again is very high. All it takes is one chargeback for their merchant account provider to realize what they are doing and for the trouble to start.

John Conde  2010-02-10 22:16:35
Would the ECI compliance pertain to this situation? He is not doing transactions online, but just getting the information online to do the transactions offline. It's kind of like receiving credit card information over the phone to carry out the transaction. And/Or are you saying that this requires another merchant account?
stjowa  2010-02-10 22:37:39
ECI compliance is an issue because the order originated through their website. If it originated over the phone ECI would not apply. Basically it's not how you process the order but where it originates. It also requires another merchant account because orders originating on the Internet must be separate from non-Internet orders. This is primarily due to chargeback issues.
John Conde  2010-02-10 22:46:27
That makes sense. Thank you.
stjowa  2010-02-10 22:50:01
+2  A: 

Using a 3rd party credit card processing gateway obviates the need for storing credit information on the client's server - the POST'ed cc info is passed along to the processing gateway which returns a transaction id that can be used for record-keeping by your client.

A credit card payment gateway is provided by companies like Authorize.net, LinkPoint Central - even PayPal is getting into the game. All the major gateways have existing code for integrating a shopping cart with most of the popular web programming platforms (.NET, PHP, Java, etc.). Plus most major shopping carts support the major gateways out of the box, or at the very least have installable modules for most gateways.

So, your client should get an internet payment gateway setup and you should integrate their existing code with the gateway.

pygorex1  2010-02-10 22:17:51
+1  A: 

Correctly protecting payment data is a complex topic. Even very large companies sometimes have large numbers of credit cards stolen from their systems.

At a minimum, here are steps to consider:

  • Ensure the online order form is using HTTPS to capture data.
  • If the DB and web server are different boxes, ensure a secure path between them.
  • Encrypt the payment data in the DB. MySQL Reference.
  • Ensure strong access control to the back-end web page (is it physically accessible to the outside world? Does it require a strong password? Is it HTTPS?)
  • Ensure there are no logs (e.g. debug log) that end up writing the payment info to the file system.
Eric J.  2010-02-10 22:19:30
+2  A: 

This is a major violation of PCI rules. You can obtain the documents here: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml It would be smart to go third party like Google Checkout or something similar. Becoming PCI compliant is a big headache and involves annual reviews (may be self assessed), which can include penetration testing, etc. If you really examined it, he probably does not need to have access to the credit card information at all, just the transaction ID. Not only do you need to encrypt the data, you must have an elaborate scheme for protecting the encryption keys. This is much bigger than what a small business wants to get into. Some of the advice above sounds good, but it does not meet the PCI specification. Read the documents and you will quickly see it is a large undertaking. I currently support an in house PCI compliant system and had to spend significant effort to get it up to standards. We also had to make a number of network changes as well. It will be cheaper for the business to convert to third party.

Jim  2010-02-10 23:36:03

related questions

What considerations should be made before reinventing the wheel?
Is "RTFM" counter-productive?
Best Way to Begin Learning Web Application Design
Non Public Members for C# Interfaces
Where is a good place to find a talented web designer?
How do you begin designing a large system?
Is Single Responsibility Principle a rule of OOP?
Looking for example of Command pattern for UI
Are there good resources on federated software?
Class designer
Resources on wordpress theme-development
Designing a Calendar system like Google Calendar
Design debate: what are good ways to store and manipulate versioned objects?
Good Resources for Relational Database Design
What are the best resources on designing a new language?
Personalized icon next to the URL address in the browser's address bar?
Generating Icon Files
Best WYSIWYG CSS editor?
MVC pattern question: Who has what? who calls what?
Javascript and PHP - Login Script with hidden buttons
Icons: How does a developer with no design skill make his/her application icons look pretty?
What are you using for Web UI/layout design?
What programs do you use to create graphic images?
Folders or Projects in a Visual Studio Solution?
How do you test layout design across multiple browsers/OSs?