SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    John 8:24 JREAM's Avatar
    Join Date
    Sep 2007
    Location
    Florida
    Posts
    1,508
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PCI Compliant Storing Half Credit Card

    PCI Compliance is scary business and I don't have the time to manage someone's server.
    My client needs to be able to pass a Credit Card to a 3rd party over the phone, the problem
    is storing it on-site is illegal without PCI compliance.

    Can I encrypt and store 1/2 of the Credit Card number, and email the other 1/2 to a Gmail account?
    Would this be considered shady practice? Is it even legal?

    Thanks

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    No, you cannot do that. Don't even think of using email or the system the client is proposing. Have the client get a merchant account and payment gateway.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,786
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by JREAM View Post
    the problem is storing it on-site is illegal without PCI compliance.
    Storing any part of a credit card number on a computer connected to the internet is a breach of PCI. You are not allowed to do it when your site is PCI compliant.

    Storing any part of a credit card number across thousands of email servers (as happens when emails are sent) is about the worst possible breach since then it is available in lots of places and not just one place - and even one place is one more than PCI allows.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    John 8:24 JREAM's Avatar
    Join Date
    Sep 2007
    Location
    Florida
    Posts
    1,508
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks you guys, I knew some folk who did it back yonder (Without naming names) obviously not a good idea -- never thought of the emails stored any many servers doh!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •