Actually if you process the cc there u have to store the reciept there for 2 years as a means of chargback, refunds, or govt./legal purposes.

I use an online system Linkpoint they store them there.

You can't just process a cc and then discard the number. I myself didnt want this responsibility keeping track etc so I opted for the above.

thanks for the reply bwnbwn. I'm not sure I follow though. We are using authorize.net. Our homegrown e-site posts the info to authore.net which of course in turn processes the card. I'm refering to whether or not to store the cc number in our site's database. I really don't know if authorize.net stores the number, but I know even if they do it is not accessible to us via the web terminal, at least I don't think it is?

just called authorize.net to verify. They do store it for the puposes bwnbwn mentioned but it is not accessible to us so it does not solve my issue. I still need to decide whether or not I should store it on my site so that it can be used to call issuing bank and verify a shipping address OR just change my site to only ship to the billing address?

"just called authorize.net to verify. They do store it for the puposes bwnbwn mentioned but it is not accessible to us so it does not solve my issue. I still need to decide whether or not I should store it on my site so that it can be used to call issuing bank and verify a shipping address OR just change my site to only ship to the billing address?"

You should be able to access the number before processing it as we do so this all the time on new orders.

I check them all the time through getting the card number and dates and checking this with master card/visa call in and address verification center. There is no need to get the issueing bank as you can use a central location to check.

You will see sometimes the address does not check out this can be a bad card or the owner has not updated the move. When I get a bad address I call the number on the order and check, it is about 50-50 on being a bad charge and person has moved.

Discover and AE both have their address verification number to call, There isn't any reason for you to store anything that is what you pay authorize.net to do

Call authorize.net back they will tell you how to access the card number before you process it for a batch.

All the first step is a preapproval for you to approve it.

You can only check US credit cards as international are a different horse altogether.

[edited by: bwnbwn at 6:33 pm (utc) on Dec. 12, 2006]

You might want to first do some reading on the PCI Data Security Standards [google.com], they're pretty stringent. Then have a talk with your merchant bank to see if they have any guidance.

If your site is closely monitored, how about this: Store the data in an encrypted format to be retrieved by private GPG key only. Once retrieved, print the information to hard copy. Then an archiving function removes the CC info from the database completely.

This provides only a scant opportunity between order placement and print/archive for the data to be compromised. The hard copies of course go offsite in a SAFE location. :-)

Of course this may add an additional maintenance issue and diligent monitoring.

thanks for the suggestion rocknbil. I think its a good one and I have been knocking around the concept of 'temporarily' storing the numbers as well in one way or another. Is this common?

"thanks for the suggestion rocknbil. I think its a good one and I have been knocking around the concept of 'temporarily' storing the numbers as well in one way or another. Is this common?"

No I hope this is not common as this just increases the odds of card theft from hackers and employees.

I can't understand why you would want to store them when they are available for you to get from your merchant services.

If authorize net does not have a way for you to get them get another merchant service as I can easiely get a card number for checking before the card is run as it cost more to refund the order than it does to process it.

bwnbwn, I did verify with authorize.net that you can't get the number. Changing gateways at this point will not be taken very well with the parties involved (details spared). That does not mean its not the right thing to do and I appreciate the information.

Authorize.net has tools that allow you to do address verification at the point of charge. You can reject charges where the address verification fails or doesn't match completely enough (you set the level of match you require).

I would also agree that printing hardcopies of cc numbers just widens your potential security vulnerabilities.

If you must keep the card number for the address check purpose, I recommend instituting a policy of deleting the card numbers on a regular basis (every 2 weeks) so minimize your exposure.

I was in a very similar situation about a year ago, working with authorize.net but needing a full cc# and exp. date to verify orders, perferm refunds, etc. Our solution was to encrypt a copy of the receipt with payment info on the server, which were automatically downloaded in a batch daily. These receipts (still encrypted) were stored on the network for 1 year. If we ever needed the cc info, we would copy the file, decrypt using a key only 2 employees know, print, and delete -- which left only a hard copy of the data. Immediately after the data was put to use, the paper was shredded leaving no copy of the credit card.

We ran this process by our merchant bank (one of the big ones) and they said this was sufficient protection. May have changed a bit in the last year, though. Good luck with it.

Let me also point out authorize.net does NOT require the full cc number to process a refund. The last 4 digits plus any valid expiration date (even if it is not the card's date) plus the transaction number is sufficient.

According to the Visa and Mastercard agreement you are not allowed to store the Credit Card information of the customer. It is an illegal act, and if you are ever hacked and the information becomes stolen you will be liable for it.

However, 90% of merchant store the CC # for various reasons. I would recommend storing it myself, because at least you will need it however you may want to reconsider if are not comfortable with your server.

We have over 50 employees, we restrict access to the CC information from them, we only display the last 4 digits.

No I hope this is not common as this just increases the odds of card theft from hackers and employees.

Do you know how a GPG key works? A public key creates the encryption, and it cannot be decrypted without the use of a private key, which is only physically present at the time of decryption. It's virtually impossible* to crack unless someone physically steals your private key. If performed on a secure server, this doubles the security measure. Employees are a different matter.

No, this method is not common, because it's difficult to set up and requires getting your hands dirty to use it. But it's highly secure.

I've seen the backside of a lot of merchant shopping carts. It's not pretty. There is a lot of storing going on, with only scant security measures.

* Nothing is impossible. But it would take months of number crunching to break a GPG key.

you should never store the number unless you need to - payment systems like worldpay / 2co etc store the number and other info for you - they do the AVS / CVV checks automatically for you - they have systems that allow you to do the refunds - and they are compliant with all the regs and they are secure

if you have a large business you might prefer your own payment gateway - but that costs a vast amount of money and needs lots of security checks to ensure compliance with all the regulations and the law etc

if you are not a large business then just use a large payment processing company

small businesses storing card info are often in breach of law or PCI regs etc by not storing data securely - main reason they do this is to save money - although they often just don't get the facts that they often aren't saving a penny, they are spending time manually processing card details, and they are taking risks with security

there is no need to store numbers, ever
use a large payment processor, save yourself time, hassle, money and the risks

DavidJC

I would look into changing as I just signed up our business and it was free with cardservice. Simple to set up do online and all u need to do is change the processing url in your cart.

This is by far the best most simple way to get this taken care of..I for one couldn't run our business if we couldn' check the cc numbers on our orders.

rockbill - there are several secure encryption methods. But, most people don't get the encryption wrong, but they do get the setup wrong. They don't store the keys properly, properly seed the key generator or realize when the key has been compromised.

For example, a php programmer might hardcode the key into their code so their script can do the encryption directly - a huge, but common security problem. I have seen website put an encryption key into a client side js.

Encryption has to looked at in the context of the entire application.

Also, don't forget the most security breaches come from inside an organization. Storing cc numbers makes them easy prey to people who have access to them.

thanks all for all the info... its appreciated.

bwnbwn, as far as changing now, I know it can be done but I think there may be more involved for us since our site is a completely custom programmed site. I beleive its currently using an authorize.net specific programming API... I am not the programmer so I am not certian of the details but I don't think it would be a simple matter of changing the URL it posts to, I think some programming changes will need to be made. Of course it can be done and we just might. I will be including this as a possible option and find out how much programming, if any, would be needed.
Thanks again.