Hi

I am interested in knowing if anyone here stores credit card details (actually we only plan to store partial details, enough for the user to identify a card)?

If so what security policy's are necessary?

Thanks,
Jim.

You should consult with your merchant account provider but you can also pick up information from - https://www.pcisecuritystandards.org

Regards,

Martin

Believe me, you really don't want to have to start jumping through the PCI hoops of fire and associated costs...

Yeah, true - but people are going to need this done if they're using their own merchant account set up - or storing details. No way around it really.

Avoid storing card details. We store just the last couple of digits and expiry (to identify the card to the user) and a few security codes generated by the first transaction so that we can repeat bill the card if need be.

You do not want to take any chance of storing card data. One security breach and your business is toast. Use a PCI certified gateway.

Thanks for your helpful responses.

Actually I don't have to store any details anymore :)

But I do have to transmit details, user send details to my server from their PC (via HTTPS) and my server passes it onto the company that does all the transaction stuff.

From what I understand, I will still have to be PCI compliant, is this so?

We are just a small startup and I am wondering if becoming PCI compliant is feasible, anyone have any information on the actual effort involved.

We plan on using a dedicated server provided by someone like fasthosts.co.uk.

The PCI documentation seems straight forward, but wondering what it actually entails.

Thanks,
Jim.

So long as the actual details do not pass thro your server then you do not need to be PCI compliant.

For example if you have a company like Protx processing the payments.

Yes the details will pass through my server, I can see no choice because the user will be entering their details via an application not a browser.

Duane

100% the best way.

So long as the actual details do not pass thro your server then you do not need to be PCI compliant.

You might want to double-check that with your merchant account provider. PCI compliance is not just about "sensitive" cardholder data like the card number, it also includes personal information like their name and address. Besides the danger you may be prevented from accepting credit cards through your site, it's also just good practice to ensure you're compliant so that you have a decent security system in place.

You might want to double-check that with your merchant account provider. PCI compliance is not just about "sensitive" cardholder data like the card number, it also includes personal information like their name and address. Besides the danger you may be prevented from accepting credit cards through your site, it's also just good practice to ensure you're compliant so that you have a decent security system in place.

I would always advocate meeting the PCI Compliance Standard just because the benefits speak for themselves, remembering data like Names and Addresses also falls under the Data Protection Act.

I have to say though you did quote me out of context because I did cite an example. If your payments are handled by a 3rd party - then they must be PCI Compliant and not necessarily your business (unless for some reason you keep hold of the data), and also entailing all the costs associated with meeting the standard.

Martin

We plan to store them once an API is sorted out.

Signing up to the Safebuy scheme too, and ensure any details which are kept are kept safely most will be destroyed however.

So how does this work if you bill someone against their credit card every month? Are you saying you can simply quote a security code provided during a previous transaction and hence don't need to store card information?

So how does this work if you bill someone against their credit card every month? Are you saying you can simply quote a security code provided during a previous transaction and hence don't need to store card information?

Exactly that - we repeat bill hundreds of cards every month for out customers that pay monthly (most elect to pay annually). All we do is send a message to our payment processor (ProTX) containing the reference number for the first time we billed the card, along with a couple of security codes and the amount we want to charge (it can be more than the first amount if we want).

Just like a normal transaction, we instantly get an approval or it gets declined

So how does this work if you bill someone against their credit card every month? Are you saying you can simply quote a security code provided during a previous transaction and hence don't need to store card information?

Protx store the credit card details on their server for you so you can use a reference to make additional payments on the same card. Very clever security, if hackers access your system they will only be able to make payments to your company.

I know for a fact Barclays don't offer this though and if you want to do repeat payments (of variable amounts) then the only way is to store the credit card details in your system.