Results 1 to 6 of 6

Thread: PCI Complience

  1. #1
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    577

    Default PCI Complience

    Just wanted to share this for people:

    https://www.pcisecuritystandards.org/merchants/ (general merchant info)
    https://www.pcisecuritystandards.org/smb/ (geared to inform small businesses)

    I have found that working with clients, even some who have had e-commerce for a while, do not fully understand the rules out there, and how they are affected by them. But this information is not just for e-commerce, it is for anyone accepting a credit card.

    If you are unsure how your company is on the issue of handling credit card information, I highly recommend you at the very least contact your bank for help. I know from years on here, many of you like to be in control of things and do it how you think it needs done, but anymore this is an area that you don't want to guess at.

    I've read up a lot on it, and even I wouldn't claim to know half of it fully. Just as an example of some issues:

    How do you store customer card information on reservations?

    The limo company I did do work for before, you call up, give your reservation, give credit card number, it gets written down on a card they filled out, and that card was left out where anyone coming into the office could see. You store it in a computer? Is it encrypted? Is is secured? (Not only as to who can log on to retrieve it, but also the access to the machine physically).

    What information do you collect and how long you retain it?

    You know the code on the back of cards (Card Code/ CVV/ etc)? Those are NOT allowed to be stored past the time you charge a credit card. It is rules set by Visa/Mastercard, that no one can "authorize" you to do otherwise.
    BTW, check with your merchant account provider, do they actually require this number? Some don't. If your account is set not to require, you may be able to get a cheaper rate by changing your account to require it.

    But we keep a clients credit card on file so they don't have to give it every run? What about the CVV # then?

    To be honest, this is where you need to contact your bank or merchant account provider and ask their recommendation. The nearest I have had to deal with this was taking a credit card number for a monthly subscription, and having to recharge them each month. Basically what we did was run the card with full data the first time, and as long as that passed the first time, continued to recharge it each month without the CVV data (it already verified once).

    Have your own custom website you collect credit card information on?

    It gets even more fun here. The big thing people think about is "was it a secure web site". This is just the start. I have personally seen a secure site get the credit card information, then send it unencrypted over regular e-mail to the client.. Might as well not have been a secure web site. Saving it in a database? Better be encrypted. Database server /accounts need secured. DIY website? Get a reputable company to test your site. Done properly, these are NOT cheap, but they do a good job.

    This is getting to be a bigger issue, more companies/banks that offer merchant services are starting to enforce the requirement of regular (I think quarterly) scans of your site. Each time you can't prove you passed, you are fined. This is more than just how well a site it programmed, but is also on how the server if configured. Once company we dealt with, if the server software (eg apache/php/mySQL) was more than 2weeks out of date with any "security updates", you failed.


    Anyhow... in my field, those are the three main topics of concern when it comes to credit cards, but wanted to share it here. Another thing a lot of smaller companies think "eh whats the worse that could happen". Think how much identity theft is a big term now, think how much people sue now a days. Once you have been found to compromise even ONE credit card number, you are liable to ALL cards that were processed the same way. Not fun having to payout a settlement to hundreds of card holders for their inconvenience of having their credit cards replaced and possibly paying for a year or more of identity theft monitoring for each of them.

    Hope this helps, again, like I said, I'm no expert in this area, just sharing what parts I know and references to where to find out more. Heck this stuff is so much a mess, for my business I'm starting I'm using 3rd party website for processing. They are in the business to of making sure they know the rules, so one less headache for me to worry about ;-)

    -Greg
    Last edited by Greg K; May 18th, 2011 at 09:56 PM.

  2. #2
    Senior Member
    Join Date
    Mar 2008
    Location
    MI
    Posts
    1,951

    Default

    Great post. I actually didn't even know what PCI compliance was and I wasn't even close to following any of these rules until I started using limo anywhere.

  3. #3

    Default

    Great post Greg..I was wondering about this.

    Dillon

  4. #4
    Senior Member
    Join Date
    Jun 2011
    Location
    Guilford,VT
    Posts
    163

    Default

    I shred every credit card number as soon as the credit card machine comes back approved.The machine prints my copy with signature line,customer copy and batched out settlement receipt.All of which only show the last four digits of the c.c#.I have no full credit card numbers on file

  5. #5
    Senior Member
    Join Date
    Mar 2008
    Location
    MI
    Posts
    1,951

    Default

    Quote Originally Posted by edwinslimo View Post
    I shred every credit card number as soon as the credit card machine comes back approved.The machine prints my copy with signature line,customer copy and batched out settlement receipt.All of which only show the last four digits of the c.c#.I have no full credit card numbers on file
    What happens if they break something or go over and don't have the cash?

  6. #6

    Default

    We keep our files secure. The card info is important in case of other charges--especially if client doesn't want to pay for whatever reason and won't give the card info again. In our case we deal with mostly after hour clients having been drinking a lot sometimes.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •