Welcome to WebmasterWorld Guest from 54.198.179.85

Forum Moderators: buckworks

Message Too Old, No Replies

CVV Via email to merchant

Can you send the cvv via email to a merchant

     
7:21 pm on Feb 21, 2013 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:May 6, 2004
posts: 650
votes: 0


Hi

I started working on someone's old ASP driven site.

The way the ordering process is set up, it takes the credit card info from the customer and sends it in an email to the site owner including the CVV. As far as I know, there is no encryption going on with the emails.

I suspect that this might not be an allowable way of doing things.

The basics
- The site uses ASP.
- No data is stored on the site when an order is placed. It is transmitted via email.
- It does not appear that there is any encryption with the email to the site owner
- The email includes the order, credit card info and CVV.
- The range of line items in the catalog is about 50

Ideally, I would like to migrate to an established online cart and payment gateway. However, I don't think the client wants to make that type of major change at this point.

Again, the main question is "Is transmitting the CVV with the credit card info in an unencrypted email acceptable"? I would think it isn't

A secondary question would be if it would be allowed if the CVV was sent in a second email without the rest of the credit card info.


I'd appreciate any thoughts.

thanks

chris.
7:25 pm on Feb 21, 2013 (gmt 0)

Moderator from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5613
votes: 33


However, I don't think the client wants to make that type of major change at this point.

Run away! This project has too many red flags all over it.

Spend a few minutes to explain to the client that this setup violates so many terms of service and violates PCI compliance and that he is opening him to some serious liability. if you can't make him understand the gravity of the situation within 3 minutes, RUN AWAY!
7:28 pm on Feb 21, 2013 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator andy_langton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 27, 2003
posts:3318
votes: 130


Seconded. The site owner is opening themselves up to liability for any fraud that might affect customers. Even a single instance of such fraud could easily outweigh the costs to implement a basic solution that would also not risk every customer's financial security.
12:31 am on Feb 22, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 6, 2005
posts:670
votes: 0


The PA-DSS standard requires that the merchant encrypt sensitive communications over the Internet. If the email were encrypted, and the merchant acted to protect the payment information, and didn't retain it, the practice would be fine.

An unencrypted email doesn't meet the standard of PS-DSS. But if you've ever read your card number over the phone to someone, or handed your card over to a bartender to run a tab, you've placed your payment information into a much-riskier situation than the owner of this site. I'd simply set him up with an offsite payment processor, so he doesn't have to deal with silly offline processing of credit cards.

And watch out for so-called "PCI Consultants" who will gladly charge you thousands for an audit. They do these audits without looking at a single line of source code, but instead rely on "scans" of your website. Your customer is probably considered a "Level 4" merchant, and an annual self-assessment questionnaire is required; not the payment of thousands to a consultant.
10:30 am on Feb 23, 2013 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member piatkow is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 5, 2006
posts:3326
votes: 21



But if you've ever read your card number over the phone to someone, or handed your card over to a bartender to run a tab, you've placed your payment information into a much-riskier situation than the owner of this site.

I was thinking about posting the same after reading the OP. It does pay to read the entire thread first.

My own view is that online card processing is something that any SME should oursource.
2:07 pm on Feb 23, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


Bad situation as is and while the chances may be slim something will happen, if it did, it could be huge issue for your client.

Why not write a quick script that dumps the data into an encrypted db instead of emailing it. Then write an admin interface that allows your client to access the info via https? He could get the data then delete the record. Of course, this brings up it's own PCI compliance issues.