Beyond the technology, talk to a lawyer and have them put together an agreement to help protect you.

The cost of doing this plus a mark-up should be the customers responsibility.

Then you should have a monthly upcharge to cover the additional cost of this service.

Considering the risk, I would make it rather large upcharge.

Better yet, have the client directly pay for secure hosting and have a lawyer put together something that completely removes you from any risk.

Remember, one lawsuit can put you under.

I would agree with minnapple as regards to taking advice of a lawyer. To my knowledge it's not even legal to store the card details which the customers feed in good faith over a secured payment gateway.

The customer would know that we're storing the information, they'd basically be signing up for a service where the site would buy gifts on their behalf for people they've entered in the system. So, on a certain date like a week before aunt maple's birthday it would buy a gift for her from a chosen price range and category. The customer would agree upon signing up that we'd be doing this. So, it's not illegal. But I still hate taking the risk. Thanks for your advice about the lawyer. I'm still hoping to just outsource that part to somebody else so I don't have to take the risk in the first place.

Paula

worldpay have futurepay - that will do everything your client needs and no fuss, no hassle, no risks etc

other gateway providers probably do the same

don't risk storing card numbers - remember your client is not your boss - you are not a slave - you do not *have* to do what your client wants - it's your job to tell your client what you will do

We have the same problem.

So far, we don't request customer to sign up an account before check out, we store customer's shipping information only for every order but not billing information, our payment flow is just very simple, we pass shopping cart data to payment gateway, customer types his/her credit card information on the payment gateway.

Now we want to change programming and set up customer's account, let repeated customer input his/her billing and shipping informaton, we store it, and pass it to the payment gateway for transaction approval.

The problem is we use share-hosting service with class ASP backed by MS SQL, is that secure?

The customer would agree upon signing up that we'd be doing this. So, it's not illegal.

This is absolute nonsense.

If a customer agrees to something that is against the merchant's agreement with his or her payment processor, it does not suddenly become permissible.

You should probably not be involved in this project at all, until you are certain that your client is not asking you to aid him in violating the terms the agreement he has with his payment processor.

Personally, I'd want to review the language of the agreement myself and receive written confirmation from the payment processor that what you're undertaking is allowed--and it wouldn't take much uncertainty to cause me to back out of the project.

-b

You should probably not be involved in this project at all, until you are certain that your client is not asking you to aid him in violating the terms the agreement he has with his payment processor.

why bother with all that legal hassle when the solution is very simple - pay to use a proper payment provider that does it all for you

problem solved

You can store credit cards fairly securely, but at the very least you'd need a dedicated server to manage this. And you'd need to hire a consultant to set it up for you. As mentioned it's probably better of with a processor that does this for you if possible.

I'd much prefer a processor that does this for us, but can't find one yet. I'm waiting to hear back from the company Rainman mentioned about FuturePay, hopefully that'll do what we need. Most periodic payments offered by processors like authorize.net are for fixed amounts charged on fixed dates and what we need is different.

Puala

Guys, storing credit card data is in and of itself not illegal. However, storing CVV2 data at all, or storing credit card number strings without encryption, firewall protection, etc. is against PCI compliance rules.

There are several PCI compliant hosting providers out there.

There are some gateways that actually store a portion of the CC number on their site and then you store the other portion.

Being PCI compliant is a combination of things - server, code, etc. So even though a host is PCI compliant will not mean you are unless your code is. And you might not even need to be PCI compliant if you are doing less than XX number of transactions per month.

And plus it is a catch 22. Visa/MasterCard want you to keep records for three years but how can you keep these records if you cannot store (credit card numbers)?

A lot of companies store CC data, but as pointed out, do not store the CCV. But at least collect that on the first transaction to pass to the gateway so the transaction provider can let you know that it matches or not. Consider even collecting that every time even.

-Corey