15

I have no experience with storing credit cards and I do not know anything about the legal end of this.

The company I work for / develop for wants to store credit cards to process auto payments for accounts that are on layaway.

Does anyone know a site that lays out the guidelines, or experience with storing credit card information internally? I have heard that whatever server stores the card information is not allowed access to the internet and all information has to be encrypted.

Can anyone provide some feedback? Or know of a service that handles this for companies?

M'vy
  • 13,053
  • 3
  • 48
  • 69
Jeff
  • 509
  • 1
  • 4
  • 8

7 Answers7

24

There are lots of different ways in which PCI impacts what you do; I'd point out the data security standards (PCI-DSS). Among many other things, they require strong authentication for anyone accessing the system remotely, and have a wide variety of restrictions on what kind of data you can keep.

Don't even think about storing credit cards without understanding PCI.

At high levels of sales, you will have to be audited by an accredited third party, and the audits can be quite strict, so start documenting early with that in mind.

Steve Dispensa
  • 3,441
  • 16
  • 20
7

Like Steve and SteveS said, storing credit cards would make your business fall under PCI-DSS. Without the proper infrastructure already in place, this can be a monumental task. Here are a few things I can think of off the top of my head:

  • Transmission of credit card info has to be encrypted.
  • The networks and every server/workstation on the network require an active firewall and IDS.
  • Workstations and servers require antivirus.
  • Passwords need to change every 90 days.
  • Access to machines on the network has to be restricted.

That is just a very short version of a very long list, you find the full version: https://www.pcisecuritystandards.org/documents/pa-dss_v2.pdf. There is also PCI training, which can help you better understand PCI requirements. There are consultants who specialize in PCI compliance, you might want to check with other companies or IT security auditing firms in the area for any recommendations. Best of luck.


nickdew
  • 71
  • 5
6

You are referring to PCI (Payment Card Industry) Compliance.

Plus any legal requirements for the area your business operates.

Tsundoku
  • 127
  • 1
  • 5
Steve
  • 15,215
  • 3
  • 38
  • 66
5

I would suggest using PayPal Website Payments Pro Hosted in combination with Reference Transactions though the DoReferenceTransaction API.

Website Payments Pro Hosted lets you embed PayPal's payment form in an iframe on your site ("Pay with PayPal" option can be disabled on request). Additionally, by using the DoReferenceTransaction API you can re-bill a user on any schedule by simply referencing a previous transaction ID (up to three months ago).
The beauty of this is that you won't need to store a single piece of personally identifiable data except a PayPal transaction ID.

See https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_r_DoReferenceTransaction
as well as
https://www.x.com/developers/paypal/products/website-payments-pro-hosted-solution

You would still need to be (somewhat) PCI compliant, but by far not as much as with a regular merchant account directly integrated into your site.

Especially with no prior experience it'd be wise to simply let someone else worry about it.

Robert
  • 151
  • 3
2

I would suggest that you do not roll your own solution here. Use APIs provided by Authorize.Net, and others, to implement this functionality.

getahobby
  • 175
  • 3
2

As other commenters have pointed out, storing credit card numbers should be avoided if at all possible.

If you are using Authorize.net to handle credit card transactions, you should investigate ARB (Automated Recurring Billing) and CIM (Customer Information Management, These optional offerings allow you to set up customer accounts that link to your system through a customer ID so that you can store sensitive customer data remotely, and schedule future transactions, without having to store credit card numbers or billing addresses.

zetetic
  • 121
  • 1
2

The most cost-efficient method to store credit card information while meeting PCI compliance without a lot of work and effort would be to use Amazon's AWS services. They just fulfilled PCI requirements in 2010.

Have a look here:

http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/

This is the simplest method I know of for storing credit card information for your business.

Bug Magnet
  • 121
  • 1
  • 3
    They are PCI compliant as an infrastructure, you still need to be PCI compliant on application level – AaronS Nov 05 '11 at 20:41
  • You can add [Google Cloud](https://cloud.google.com/security/compliance/pci-dss/) here as well... – zipzit Feb 01 '17 at 20:47