Illegal to store CID# on your server?

Forum Moderators: phranque

Message Too Old, No Replies

Illegal to store CID# on your server?

dvduval

6:54 pm on Jun 24, 2003 (gmt 0)

I was recently told by a software vender that storing the CID# for credit cards on a web server is expressly prohibited in the TOS of credit card issuers.

Secondly, many merchant services starting in the next couple months are charging a $.50 per transaction fee when the CID# is not given.

We currently import credit card information from our web server to our in-house software because we sell products online as well as offline. It appears we are going to be forced to begin processing cards online or pay a huge penalty.

Anyone else having a problem?

dvduval

7:58 pm on Jun 24, 2003 (gmt 0)

Being forced to charge the card online also adds another major problem:
-about 20% of the time the item is on back order

Therefore, I would have to manually credit the card and then send the customer an email letting them know the card was credited until the item becomes available.

NFFC

8:14 pm on Jun 24, 2003 (gmt 0)

>told by a software vender that storing the CID# for credit cards

I think there may be two issues here; firstly never trust a software vendor :), secondly define "store".

Its the nature of ecommerce that CC details have to be stored, this is how we work it.

A customer places an order, we "store" that on the web server encrypted. We then transfer that info from the web to local, at this stage we use a custom encryption routine during transfer. Once the transfer is complete we delete the details from the web server. We print a hard copy of the details and process the transaction. Once the transaction has been processed the details are encrypted again using a different algo, after a short period the details are nuked.

dvduval

8:29 pm on Jun 24, 2003 (gmt 0)

We print a hard copy of the details and process the transaction.

Wouldn't you also need to "store" the CID number on your local server? What if you import over 100 transactions? I would assume you would need to "store" them until the transaction was processed, especially if you plan to have a human check the order for accuracy.

NFFC

8:37 pm on Jun 24, 2003 (gmt 0)

>Wouldn't you also need to "store" the CID number on your local server?

Sure we have to, how else would we know the CID?

We may be getting hung up on word definitions, we don't "store" the CID, we grab it, process it and then nuke it.

dvduval

8:40 pm on Jun 24, 2003 (gmt 0)

The reason I ask is because I have a software vendor refusing to import the CID number because they claim it would be illegal to do so. This software vendor has hundreds of clients in the mail order business.

In addition, I would like to find a definitive answer with regard to the TOS for credit card merchants.

If it is illegal to store the CID number, this could effect hundreds of online stores who import orders, forcing them to invest in software changes or pay fees for not getting the CID number.

edit_g

8:55 pm on Jun 24, 2003 (gmt 0)

NFFC - that is exactly how we do it as well. Large ecommerce site - and this is the only way to do it IMO.

The reason I ask is because I have a software vendor refusing to import the CID number because they claim it would be illegal to do so. This software vendor has hundreds of clients in the mail order business.

How about trying a different supplier? It sounds to me like they're not up to the task. You need your records - you're a customer - can you take your custom elsewhere without too much hassle?

dvduval

9:05 pm on Jun 24, 2003 (gmt 0)

You need your records - you're a customer - can you take your custom elsewhere without too much hassle?

It would be a large (for us) overhall to change the inhouse software (at least $10,000), plus training and installation support. We might be stuck paying $.50/transaction for a while.