Processing payments "offline" with "online" data

Hi,

I could be potentially taking on a new project for a client.

Currently they take bookings using credit card details (16digit, from/expiry dates, security no) from customers and store this data in a database online. Raw data.

They use a Secure Server to access this data but once you’re in, this appears as raw data which is frickin’ scary as hell.

Can anyone explain to me what the client should have in place to protect themselves (from being sued) and to protect their customers from loss of significant data?

Do they need PCI DSS scans on the server?
How should the Customer Credit Card details be stored in the database and exported to the Client when they’re ready to process transactions offline?
Anything else I should be considering apart from running away from this project? :stuck_out_tongue:

Many thanks for any help with this.

they should be stored as encrypted on the database so if falls in wrong hand they would have real hard time making any use of it.

also using a better SSL helps secure the data transmission over the wire.

for the web server itself you can have a hardware firewall, virus protection etc.

Do you have experience of encryption for this kind of data? What level should I be looking at?

Any suggestions for a hosting company / dedicated server package to host with?

Thanks for your help

PCIDSS is a set of standards they are required to follow. There are several hundred rules, only one of which is that they have their infrastructure scanned regularly. They are likely violating dozens and dozens of those rules from the sound of it. If there is ever a loss of cardholder data and they’re not in complete compliance with PCIDSS, the fines can be as high as $500,000 per incident.

I wouldn’t mess with that stuff. If you’re going to work with them, convince them to stop storing credit card data at all. You can’t just brush up on how to encrypt the data and become compliant. You can’t even recommend a web host to them without being well versed in this stuff, as your entire technology stack has to be PCIDSS/PADSS compliant. The server the cardholder data is stored on can’t be connected to the internet at all, and most VPS providers’ facilities are not certified, so forget most off-the-shelf web hosting.

Really, if you’re going to work with them, and they want to comply with the rules of hteir merchant account, they need to stop storing credit cards. Let their payment gateway do that, most of them have a “secure vault” type thing where you send the payment info and get back a token to use to charge it in the future.

Off Topic:

If they’re capturing these credit cards online, then keying them into a POS system as if they were handed to them in a store, that’s grounds to not only lose their merchant account but be added to the terminated merchants file and never be allowed to accept credit cards for the rest of the business owners’ lives.

Hi Dan,

Many thanks for your detailed response.

I’m slowly edging away from this project if I’m being honest.

Actually I don’t even think they use a payment gateway. As far as I can tell from scanning the code, the card details are added to a MySQL db and then an Admin logs in, retrieves the card details and then processes it offline.

I think I may recommend they speak with SagePay or an equivalent to do some kind of MOTO operation. I totally agree. Storing these kinds of details is suicide.

I will let you know how I get on. Thanks again for all your help and advice.