Thread

Hi,
I have a basic question. My client wants to use Paypals virtual terminal to process credit cards for an event. maybe 20 people will sign up, and they would like to have personal contact with participants.

So what are the security risks involved in sending credit card info in a form. I am using the freeform module. I have captchas enabled. Should i send all the info to the database.  And send a email to an admin account notifying that someone has registered.
Or is this just a bad idea and customers should phone in their credit card info.

Thanks

Storing the full credit card number in a database OR sending it via email is usually a bad idea, as it basically requires you to have top notch security to insure that that information is never stolen or intercepted.  Few people have the resources to do anything even close to what is required.  Even companies with billions of dollars make mistakes. 

Typically, the best situation is when the credit card information is processed immediately (or entered offsite like in the Simple Commerce module) and never stored anywhere in your system.

Also I know for a fact in this country that storing the whole number anywhere is against the law. You are either only allowed to store the last 4 digits or not the last 4 digits and store the rest of the number.

There are places that do this though. One I can think of is Mals-E and there are quite a few good PHP scripts that allow this to be sent securely too but you really should check in your country if this is legal first. Everything is possible but you could be breaking the law somewhere along the line.

Best wishes,

Mark

Um, Mark, are you referring to the United States law prohibiting the printing of credit card numbers on receipts?

Hi Paul,

Sorry I should have been clearer when I said “in this country”. I was referring to the UK. You are prohibited from sending or storing the whole of a credit card number in electronic format anywhere. You are however allowed to store say the first half in a database and then have the other half sent to you via e-mail so that no-one can ever get hold of it but then you aren’t allowed to store the information for any longer than needed.

Sorry should have been clearer on that one.

I would think however that there are lots of laws to this effect or close to them in other countries though as I know I for one wouldn’t want to give my number across to anyone if I thought they were storing it for longer than needed.

Best wishes,

Mark

Hm, I know of no such law in the United Kingdom, so I would be interested if you could provide a link.  And I know that the UK iTunes Store stored credit cards, so I would be interested in the exact wording of this law as well.

Whatever the case, any storing of credit cards should only be done with extreme deliberation.  One has to, at the minimum, meet the standards set out by the PCI DSS and that would not be cheap.  Most people lack the resources and knowledge to successfully do it.

Hi Paul,

I think it is more on the side of the payment processor where the law comes into play. They say whether or not you are allowed to store that type of information and usually it is only at POS that you are allowed to do this then the data must be destroyed.

Best wishes,

Mark