At the company I work we've outsourced the creation of a conference registration form to a third party (delegates, select their registration, enter their credit card numbers, etc). We've found out just a few days ago that the credit card information, including the CVV2 was not being submitted to a payment gateway, but was just being stored in a database so one of the conference organizers can log into the database, get the credit card information, and punch it into a physical terminal.

This is immensely scary in my opinion, we've approached the third party and he said he'd send a notification email to the conference organizer with all the credit card info instead of storing it......is this any better?

It's been a long time since I've dealt with PCI, but PCI is all about auditability of the system. You'll move from being able (or unable) to demonstrate that the database was appropriately secured, to being able (or unable) to demonstrate that the emails were appropriately secured. To me, the email scenario is worse than the database situation, and both are bad.

Dave

After reading some things online I have a question, is storing the CVV2 code even legal? That was my biggest concern.

Can't help you on that one, I don't know.

Hi,

Visa and Mastercard prohibit the merchant from storing CVV2 numbers on the merchants system and anyone caught doing so will lose thier merchant account.

The suggestion of emailing the credit card details is just ludicrous.

link to CCV2:

http://www.proi.net/card_security.php


P.s.

If you have any questions about storing, using peoples credit card details best place to start is Visa and MasterCard themselves, they will be only to willing to inform you of the correct procedures.


regards

Ribs

Thanks a ton Ribs!

Arrr ... it's illegal insomuch as it violates your agreement with the merchant.

But, here's the thing. You're not in the spotlight unless you have an issue or you're dealing with a large volume of transactions. Even still, PCI compliance stands as a very good model to reduce your risk and protect your "customers." It's a guide to doing your civic duty in the least.

If you want to be perfectly safe and responsible, the best option is always to use a reputable 3rd party's payment processing form and receive a verifiable transaction ID in return. Paypal comes to mind ... But, I think authorize.net may offer something similar ...

If you want people to stay on your site, you need to make sure you're forcing SSL, keep the CC information out of the database (in memory ONLY), process it according to your CC processor's specs, and store ONLY the transaction information returned by your processor (someone like authorize.net).

Any development firm that's handing you software that deals w/ CC processing should be able to adhere to at least these standards. There are also requirements that deal with the hardware and software environments that the applications run on. Though, since PCI-compliant hosting is very expensive, you're best budget friendly bet, if you insist on processing the cards on-site, is to stay away from shared hosting ... and in my opinion, windows hosting.