I started working on someone's old ASP driven site.
The way the ordering process is set up, it takes the credit card info from the customer and sends it in an email to the site owner including the CVV. As far as I know, there is no encryption going on with the emails.
I suspect that this might not be an allowable way of doing things.
- The site uses ASP.
- No data is stored on the site when an order is placed. It is transmitted via email.
- It does not appear that there is any encryption with the email to the site owner
- The email includes the order, credit card info and CVV.
- The range of line items in the catalog is about 50
Ideally, I would like to migrate to an established online cart and payment gateway. However, I don't think the client wants to make that type of major change at this point.
Again, the main question is "Is transmitting the CVV with the credit card info in an unencrypted email acceptable"? I would think it isn't
A secondary question would be if it would be allowed if the CVV was sent in a second email without the rest of the credit card info.
I'd appreciate any thoughts.