pci-dss

I am about to inherit and work on a small business retail website that is very poorly designed. Among other things, the greatest concern is with the current credit card processing. Currently, the owner retrieves credit card information (name, number, CVV2 and expiration date) from an online order form and saves all of that information in plain text within a MySQL database. A notification then gets sent to his email that someone has ordered. Thereafter, he has an administrative back-end page that he views the orders and credit card information which he uses to process offline with his own

What are the PCI rules to follow for storing credit card numbers in a database? 1) is this allowed? 2) if so, what rules do we have to follow? Im looking at this site https://www.pcisecuritystandards.org/security_standards/index.php which document should I be reading here? John Conde 1) Yes, it is allowed but very, very discouraged. Having this information in your database makes you an extremely attractive target for hackers. And if you think you can protect it, think again. Hackers have defeated the security of companies with excellent security. Your security won't be any better. 2) You have

I have a business requirement that forces me to store a customer's full credit card details (number, name, expiry date, CVV2) for a short period of time. Rationale: If a customer calls to order a product and their credit card is declined on the spot you are likely to lose the sale. If you take their details, thank them for the transaction and then find that the card is declined, you can phone them back and they are more likely to find another way of paying for the product. If the credit card is accepted you clear the details from the order. I cannot change this. The existing system stores the

This question talks about different payment processors and what they cost, but I'm looking for the answer to what do I need to do if I want to accept credit card payments? Assume I need to store credit card numbers for customers, so that the obvious solution of relying on the credit card processor to do the heavy lifting is not available. PCI Data Security , which is apparently the standard for storing credit card info, has a bunch of general requirements, but how does one implement them ? And what about the vendors, like Visa , who have their own best practices? Do I need to have keyfob