Menu
I am about to inherit and work on a small business retail website that is very poorly designed. Among other things, the greatest concern is with the current credit card processing.
Currently, the owner retrieves credit card information (name, number, CVV2 and expiration date) from an online order form and saves all of that information in plain text within a MySQL database. A notification then gets sent to his email that someone has ordered. Thereafter, he has an administrative back-end page that he views the orders and credit card information which he uses to process offline with his own merchant.
After retrieving the information from the back-end page, the credit card number and CVV2 is immediately deleted (PHP script automatically called). The information is also deleted if that page is not accessed within 7 days. So, there is a potential for all of the information to be in the database in plain text for seven days before transaction processing.
This does not seem like a good design and may be illegal. If it is illegal, I am going to have to break this to him, because he does not realize that yet.
My question: Besides being insecure, is this illegal or a violation of terms of use (PCI DSS)? And, if so, how can I prove it to him so that he will allow me to change his ways (obviously, I don't want to put my hands into something that is illegal. Also, sometimes the wording of terms of use can seem subjective)? Finally, what are the best options for fixing this issue (3rd party online merchant, becoming PCI DSS compliant, or something else)?
582
You'll still receive monthly statements and can continue making regular payments until the balance is paid off in full. Interest and fees will continue to apply to your balance as well, so it's important to pay down your debt as quickly as possible to avoid accumulating high interest charges.
Some banks offer customers the option of raising a credit card cancellation request online. To raise an online request, you need to visit the bank's website, fill up the form and submit the request. Once the request has been made, a representative of the bank will call to confirm the cancellation request.
A credit card can be canceled without harming your credit score; just remember that paying down credit card balances first (not just the one you're canceling) is key. Closing a charge card won't affect your credit history (history is a factor in your overall credit score).
If you don't use a credit card for a year or more, the issuer may decide to close the account. In fact, inactivity is one of the most common reasons for account cancellations. When your account is idle, the card issuer makes no money from transaction fees paid by merchants or from interest if you carry a balance.
That is a violation of PCI DSS. Not only are you storing information you aren't supposed to be storing (CVV) but you're not encrypting the credit card number (also a violation).
Even worse he is violating Visa and MasterCard guidelines which state that all online transactions must be processed using an ECI compliant device or software and Internet orders must have a separate merchant account. Their credit card terminal is definitely not ECI compliant as none are. They need to get a new merchant account and use a payment gateway like Authorize.Net to process these orders.
Edit
Since I doubt the webbsite owner will actually bother to get a new merchant account or implement a payment gateway your best bet is to use two way encryption to store this information. Then make sure the page they use to retrieve the credit card information is encrypted (SSL cert) so the information is secure from end-to-end.
I highly recommend getting an Internet merchant account and using a payment gateway like Authorize.Net. Besides being PCI and ECI compliant and just the smart way to go, the potential for the business to not only lose their merchant account but to be blacklisted and prohibited from ever have a true merchant account again is very high. All it takes is one chargeback for their merchant account provider to realize what they are doing and for the trouble to start.
127
This is a major violation of PCI rules. You can obtain the documents here: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml It would be smart to go third party like Google Checkout or something similar. Becoming PCI compliant is a big headache and involves annual reviews (may be self assessed), which can include penetration testing, etc. If you really examined it, he probably does not need to have access to the credit card information at all, just the transaction ID. Not only do you need to encrypt the data, you must have an elaborate scheme for protecting the encryption keys. This is much bigger than what a small business wants to get into. Some of the advice above sounds good, but it does not meet the PCI specification. Read the documents and you will quickly see it is a large undertaking. I currently support an in house PCI compliant system and had to spend significant effort to get it up to standards. We also had to make a number of network changes as well. It will be cheaper for the business to convert to third party.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
