Welcome to WebmasterWorld Guest from 3.209.80.87

Forum Moderators: buckworks

Message Too Old, No Replies

CISP and legal questions regarding storing credit cards

     
11:37 pm on Oct 25, 2005 (gmt 0)

New User

10+ Year Member

joined:June 5, 2005
posts:9
votes: 0


Say I want to create a secure order form in which a customer enters their credit card # and their information is then stored on a (MySQL) database. An admin logs in with a secure connection to then process the orders off of a web (PHP) backend interface interface. They would read the numbers off the screen and enter the numbers manually into their system. My question is all this CISP compliant and/or legal?

Specifically, are you allowed to store credit cards on a database? CVVD numbers? What are the minimum standards for encryption? Can the orders with their CC numbers (and possibly CVVD ids) be displayed on a secure web page for processing? Are there any sources on the net that give legal guidance concerning credit cards storage laws for states and the feds?

Also is it legal to store CC information such that customers can purchase products or services without having to reenter their CC information?

11:54 pm on Oct 25, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 13, 2004
posts:101
votes: 0


It is illegal to store credit card CVV2 data. You can read the Visa/MC terms and regulations guide which your bank can send you (you may also be able to find online) for all the ins-and-outs, but that is one I am certain of.

Last time I checked, you could store credit card data in your DB but only if it was encrypted (details of this I don't remember.) You can use the stored data to provide recurring payments or allow people to re-purchase without re-entering all of their payment data. There is also a CISP compliance questionairre you need to fill out internally, basically just 'do you follow these best practices' (not sharing passwords, encyrption keys, etc.) type of thing. Your site hosting location, payment processing gateway, and SSL provider all have to be CISP compliant as well.

4:14 pm on Oct 26, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 22, 2005
posts:373
votes: 0


why make work for yourselves? why not use a real time payment processing system where everything is taken care of and you have no security and data storage issues?
4:55 pm on Oct 26, 2005 (gmt 0)

Full Member

10+ Year Member

joined:June 7, 2004
posts:263
votes: 0


hmm,

we use MAls-e.com at work. The customer enters the CC details (card number, CVV, Exp and issue numbers), and we log in get the detals, key it in on our PDQ machine as customer not present.

I'm sure this is what you are describing, but this can't be against Visa/MC rules, as hundreds of people use mals-e.com, and Essex_Boy swears by them.

8:12 pm on Oct 29, 2005 (gmt 0)

New User

10+ Year Member

joined:June 5, 2005
posts:9
votes: 0


Amazon must also store credit card info on some internal system as well...

From VISA I found the following:

When is it acceptable to store Card Verification Value 2 (CVV2)?

It is never acceptable for Acquirers, merchants, or service providers to retain CVV2, which consists of the last three digits printed on the signature panel of all Visa Cards, subsequent to transaction authorization. The Visa Operating Regulations prohibit such storage, whether encrypted or unencrypted.

usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_FAQ.pdf

So I think it's ok to store CVV2 numbers as long as you delete them after you process the transaction... Anybody know if this is exactly this means?

8:31 pm on Oct 29, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 22, 2005
posts:373
votes: 0


>>So I think it's ok to store CVV2 numbers as long as
>>you delete them after you process the transaction...
>>Anybody know if this is exactly this means?

Use a real time system - no need to store anything.

10:23 pm on Oct 29, 2005 (gmt 0)

New User

10+ Year Member

joined:Feb 24, 2004
posts:10
votes: 0


It is not legal to store CVVs at all! There are also a number of rules surrounding how you actually store the card data. But CVV can never be stored. It can be checked and dropped after the transaction.

There is a list on Visa's website of CISP certified payment applications and Mals is not on the list. It takes a great deal of time and a lot of money to implement all the necessary pieces to become a certified payment application. My guess is Mals isn't going to be able to do it.

Visa predicts that a number of ecommerce vendors who don't comply will be driven out of business as banks begin to check that their merchants are using PABP certified service providers.

Everyone is right. You should use a real time payment gateway, or pay the higher rate for not having the CVV code.

It takes a lot of work to follow all of their rules.....but...it is worth it. If you get breached and you are not compliant, your merchant bank will be fined $500,000 and then they will likely revoke your merchant account.

I know a TON about CISP as MonsterCommerce became certified as a payment application in early Septemeber and became CISP certified at that time too. Ask away and I will do my best to answer.

Here are some links for you:
Compliant Service Providers:
[usa.visa.com...]

More info on CISP for merchants:
[usa.visa.com...]

Let me know if I can shed anymore light.

Steph

11:36 pm on Oct 29, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 14, 2001
posts:616
votes: 0


Steph,
There is a list on Visa's website of CISP certified payment applications and Mals is not on the list.

Mals is a free shopping cart and not a payment application. They have processing through several gateways available. Looking over that list I didn't notice any shopping cart software mentioned.

I know it's against the CISP rules to store the secure codes in the US but Mal's is in the UK and they have a bit different rules.

2:05 am on Oct 30, 2005 (gmt 0)

New User

10+ Year Member

joined:June 5, 2005
posts:9
votes: 0


Steph, thanks for the info. A couple more questions though...:

1) If storing CVV2 data at all and at any time is not CISP compliant/legal, then why did VISA add the 'subsequent' qualifier to their statement:

It is never acceptable for Acquirers, merchants, or service providers to retain CVV2, which consists of the last three digits printed on the signature panel of all Visa Cards, subsequent to transaction authorization. The Visa Operating Regulations prohibit such storage, whether encrypted or unencrypted.
...because to me, this seems to say that you CAN store CVV2 data, but you have to delete as soon as you process the transaction, right?

2)Can you store non-CVV2 data no problem? (like CC NUMBER, EXP Date, Name, etc...) As long as you use a SSL connection to transmit the data over a network and you encrypt the CC number in your database, you're ok, right?

3)Do you HAVE to go through any certification process with VISA (and the others) in order to operate a CC storage application? (I mean wait staff in restaurants see CC information all the time and don't have to go through all this...)

4)Are any of these CC restrictions new, or have they been around for a while?

5)Are there any laws on top of CISP that regulate online CC applications and storage applications?

3:04 am on Oct 30, 2005 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 412


horizontal scroll ..ouch!
7:23 am on Oct 30, 2005 (gmt 0)

New User

10+ Year Member

joined:Feb 24, 2004
posts:10
votes: 0


Hey guys-
Sorry the proper link for payment applications that are certified is:
[usa.visa.com...]

The last link I gave you was for certified service providers. Even I get confused with all the terminology sometimes. All payment applications (which means shopping carts) have to be certified. If Mal's isn't yet, they will have to be very soon as merchants who use them will start losing their merchant accounts. It will be a requirement sometime in 2006 that merchants use a payment application that has been approved.

Ok...answers to the rest of your questions:

1) If storing CVV2 data at all and at any time is not CISP compliant/legal, then why did VISA add the 'subsequent' qualifier to their statement: It is never acceptable for Acquirers, merchants, or service providers to retain CVV2, which consists of the last three digits printed on the signature panel of all Visa Cards, subsequent to transaction authorization.
>>>>>>>This means that while the transaction is being authorized (most sites only a few seconds) the data has to be there to be read. You must drop the data as soon as the authorization is obtained. This doesn't allow you to keep it in a database for any amount of time.

The Visa Operating Regulations prohibit such storage, whether encrypted or unencrypted.

...because to me, this seems to say that you CAN store CVV2 data, but you have to delete as soon as you process the transaction, right?
>>>>>>>>You are not supposed to store it at all. Only read it and then drop it.

2)Can you store non-CVV2 data no problem? (like CC NUMBER, EXP Date, Name, etc...) As long as you use a SSL connection to transmit the data over a network and you encrypt the CC number in your database, you're ok, right?
>>>>>>>You must store your data in an encrypted format. You must also transmit using SSL. There are also a number of network criteria you must meet if you are storing credit card data as well.

3)Do you HAVE to go through any certification process with VISA (and the others) in order to operate a CC storage application? (I mean wait staff in restaurants see CC information all the time and don't have to go through all this...)
>>>>>>>>>I understand that but skilled hackers can access millions of credit cards at one time, not a quick peek at one or two cards in a restaurant. All merchants must adhere to the PCI (Payment Card Industry)Standard. Depending on the number of transactions you process in a given year, you may have to officially validate with Visa. This means submitting a Report On Compliance that verifies that you take certain measures to protect your data.

4)Are any of these CC restrictions new, or have they been around for a while?
>>>>>>>>>>They are pretty new. September 30 of 2004 was the deadline for companies like ours to comply (payment applications, gateways, etc) June 1, 2005 was the deadline for merchants to comply. So yes, in the overall scheme of things these regulations are very new.

5)Are there any laws on top of CISP that regulate online CC applications and storage applications?
>>>>>>>>>There are no laws per say, however, since you take credit cards, you sign a very long agreement with a bank and that bank signs a very long agreement with Visa, MasterCard, etc. This is how they force you to comply and police it. Visa, MasterCard and Amex have all teamed up on this except Visa appears to be the most active of all three card associations.

I hope this helps.
Let me know if I can answer some more quesitons for you.

Steph

7:45 am on Oct 30, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 22, 2005
posts:373
votes: 0


>>I know it's against the CISP rules to store the
>>secure codes in the US but Mal's is in the UK and
>>they have a bit different rules.

it's you, the merchant, that must obey the rules and comply with CISP

>>5)Are there any laws on top of CISP that regulate
>>online CC applications and storage applications?

the UK data protection act says you must secure data. it doesn't go into specifics like which technologies to use, but it does say you must use technologies that are available and that will secure the data - therefore storing card details in plain text format when PGP encryption is available is clearly a breach of the law

it's a shame the uk don't enforce this, but the data protection act isn't just about credit card numbers