I am working in PHP on a Linux server with MySQL.
I have a requirement (that I have attempted to talk them out of) to collect credit card information from users so that our company can use the card numbers to hold hotel rooms for a conference. We will not be charging the cards ourselves at all, but instead just sending them to the hotel. I then need to be able to download a CSV file and each time someone signs up an email to go to the admin with all the information.
I tried to explain that this wasn't secure, but several other developers have done this for them in the past before I was working here.
My question is; is there anyway to make this secure? If not are there any third party options to make this happen?
EDIT:
I appreciate everyone who has posted so far, it has simply made me want to attempt to do this less and less. If you could add to your answers simple explanations, oriented at non-tech people, it would be greatly appreciated, in fact site source and links would help me a great deal. I haven't found any sites that would explain this in a non-tech way.
Yes. But if we give your account this ability, it's irreversible. So make sure you're aware of the following ramifications: Due to PCI compliance regulations, card security codes (CSCs or CVVs) will not be collected.
Never collect credit card information using a form's text field. Even an encrypted text field doesn't comply with PCI standards. Use a credit-card-specific field only. Don't store credit card information in your form builder, in your own database or on paper.
Even with security measures in place, storing your credit card information online will put you at increased risk of your card information being stolen and criminals using it for fraudulent purchases. Manually entering your card information when you make a purchase reduces the chance of it being compromised.
To answer briefly, yes, merchants can store credit card information. The long answer is that merchants must be PCI compliant to store their credit card data. However, there's also some data you can keep and some you can't make sure you securely handle your customers' credit card information.
First of, I am not a lawyer. I have implemented CC-handling code several times previously, but I am only familiar with Danish laws and regulations, so your mileage may vary.
As far as I know, there are restrictions in place (law and regulations from the CC providers) that you need to be aware of. I don't know where you are in the world, but in many countries you need to be PCI certified to handle credit card data and that is an extremely onerous, expensive and on-going process.
Other countries, or states, may have notification rules in play that requires you to pay the cost of notifying the card holder if security is broken - and unless you are very careful, it is not unlikely.
In general, I would recommend against that procedure. You may risk being liable for any costs if it goes wrong.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With