PCI Compliance - Storing Credit Cards in an Application
I frequently see the question posed in various forums and community sites on how to maintain PCI Compliance within a software application.
For example - "If my customer processes credit cards out of the system I built for them, how do I have to store the credit cards to be compliant? Do they need to be encrypted, double encrypted - double encrypted with an encrypted key, etc"
Let's face it - it's a scary world out there when you hand your credit card information over to a complete stranger. With all of the SQL Injection Attacks, Cross Site Scripting Attacks, Root Kits, Viruses, Trojans, Spyware, etc - it seems like there are many opportunities for a hacker to compromise a system. Additionally, we hear horror stories about identity theft every day, with systems being compromised left and right and massive amounts of personal data being stolen.
Add to that the hefty fines levied by Visa and Mastercard should a breach occur and card numbers get compromised - fines heavy enough to put any small or medium merchant out of business - it almost makes a merchant not want to store those credit cards.
So, what's the answer? The answer is to NOT store the credit cards in the application. By storing the cards, the merchant puts themselves at great risk. The NELiX TransaX gateway has a feature called the "Customer Vault". The Vault allows a merchant to process an initial transaction, and return a Vault ID. The Vault ID is then stored in the database. The credit card info used to run the initial transaction is discarded. Any subsequent transactions can then be run against the Vault ID without having to recollect the credit card information.
This process allows merchants to be clear of the liability of storing credit cards, whether encrypted or not. The cards are stored in the PCI compliant gateway. The liability is on us, not the merchant. Storing credit cards in general is a bad practice, and should be avoided at all costs.
More information the NELiX TransaX Payment Gateway
More information on PCI Compliance
For example - "If my customer processes credit cards out of the system I built for them, how do I have to store the credit cards to be compliant? Do they need to be encrypted, double encrypted - double encrypted with an encrypted key, etc"
Let's face it - it's a scary world out there when you hand your credit card information over to a complete stranger. With all of the SQL Injection Attacks, Cross Site Scripting Attacks, Root Kits, Viruses, Trojans, Spyware, etc - it seems like there are many opportunities for a hacker to compromise a system. Additionally, we hear horror stories about identity theft every day, with systems being compromised left and right and massive amounts of personal data being stolen.
Add to that the hefty fines levied by Visa and Mastercard should a breach occur and card numbers get compromised - fines heavy enough to put any small or medium merchant out of business - it almost makes a merchant not want to store those credit cards.
So, what's the answer? The answer is to NOT store the credit cards in the application. By storing the cards, the merchant puts themselves at great risk. The NELiX TransaX gateway has a feature called the "Customer Vault". The Vault allows a merchant to process an initial transaction, and return a Vault ID. The Vault ID is then stored in the database. The credit card info used to run the initial transaction is discarded. Any subsequent transactions can then be run against the Vault ID without having to recollect the credit card information.
This process allows merchants to be clear of the liability of storing credit cards, whether encrypted or not. The cards are stored in the PCI compliant gateway. The liability is on us, not the merchant. Storing credit cards in general is a bad practice, and should be avoided at all costs.
More information the NELiX TransaX Payment Gateway
More information on PCI Compliance
Comments