No Storing Credit Cards Online (Even for a Minute)?

I have a new client in an industry I don’t normally work with or accept …network marketing. His network marketing company’s shopping cart is so horrible that he went outside to have his own website and shopping cart produced last year. Originally he went with Stores Online.

Every order he would get through his cart, he would collect the credit card info (Stores Online allows this to be stored online) and then manually enter the order into his big company network marketing shopping cart. Orders would NOT be sent through a gateway like authorize.net because the network marketing company must calculate shipping cost from their distribution center.

Big limitations with Stores Online inspired him to get a new website with me and to use my cart of choice (Interspire). Since I have another client that takes tons of online orders and does the same thing, processes them manually off-line, I figured our cart would work for this situation too.

One big difference…My other client doesn’t need to capture the security code information on the back of the card.

Interspire’s cart will allow for credit card info to be stored…BUT it does NOT allow for the security code on the back of the card to be stored (they say it’s a security risk, non-pci-compliant, and a liability issue).

The client said, “yeah that’s what Stores Online told me too but then they told me to just make a custom field and have people add their security code.” The security code is stored in a non-secure admin area so I would figure that would be non-secure in the PCI compliance process too.

Gets better…

So I figure, why don’t we just do what Stores Online is doing and add a custom field to the order form and have the customer add their security code just like Stores Online. Interspire tells me it’s illegal and we could be held liable if anyone got ahold of that code and even be banned from our hosting company if they do a PCI scan and find it. None of my team of programmers will touch adding custom fields to this cart with a ten foot pole to capture the security code.

My questions are these:

  1. Why can Stores Online do it but we can’t if it’s so “illegal?”

  2. Why would there even be any risk if someone had a bunch of 3 and 4 number security codes? They still can’t get access to the SSL area where the real credit card information is. Plus, the credit card information would be erased from the server within 30 minutes of the transaction anyway (One of my rules put forth to the client up front.) It just doesn’t make sense why anyone would even be worried about it.

  3. Is there another solution I’ve overlooked?

Since they have to call the customer anyway and tell them how much the charge will be for shipping, I don’t see why he can’t just ask for the code too, but apparently that’s not acceptable.

Any answers or suggestions would be great. Thanks in advance.

Question 1: I don’t think this is the question you should be asking. Just know that storing the 3 or 4-digit security code (CVC2/CVV2) is prohibited.
“Sensitive authentication data - storage not allowed:
Full magnetic stripe
CVC2/CVV2/CID
PIN / PIN Block”
http://www.owasp.org/index.php/Handling_E-Commerce_Payments#PCI_Compliance

Q2: Ask a PCI consultant.

Q3. Good question.

One more point. Your client doesn’t want to get on what is known as the Match File. If his business is ever involved in a cardholder-data theft situation and it’s revealed he’d been storing security codes I’d guess he’d end up on one. This is much much much worse than getting banned by a web host for failing a PIC DSS compliance audit. (Not to mention the probable financial penalties Visa, MC and the banks will probably dump on him.)

Bottom line: you’re fine until you get caught.