Re: FN-FORUM: Storing Credit Card Details - again

date posted 9th September 2006 19:31

On Wed, Aug 16, 2006 at 03:01:04PM -0000, D D Glendinning wrote:
> This time round, they want to be able to allow customers to store
> their credit card details, and when the order goes through will be
> processed manually through their PDQ machine.

There are probably rules in your client's terms which cover Cardholder
Not Present transactions in addition to technical concerns regarding the
safe handling of credit card numbers.

There are also a number of industry best practice documents which
describe how you *must* behave with regard to handling credit card
numbers online. The Mastercard PCI Compliance program is the most
important Best Practice guide :

... http://www.mastercard.com/us/merchant/security/what_can_do/SDP/merchant/requirements.html

Essentially this document does require that various parts of the
cardholder's data (e.g. CVV number) can never be permenantly stored.
There are additional rules to be aware of - numbers can only be stored
in a non-reversable format. This is going to make it hard for you to
run the raw data through the customer's POS-PDQ.

If anyone is struggling with Mastercard PCI, I managed to take a 300
million pounds revenue company through the project without casualties,
and helped them tighten up network policy at the same time. Let me know
if I can help.

Andy