credit card storage help

> I need some help finding a secure way to store credit cards on a website I
> am working on.  I know, I know you shouldn't do it unless you absolutely
> MUST, but it looks like I absolutely must, sad to say.  I have to set up
> reoccurring payments with credit cards that will notify the user if their
> card is declined and lock them out of certain website features as well.
>  Coding the above is not a problem, I am just very nervous about keeping
> credit card information on anyone.
>
> I know the card #'s need to be stored encrypted, but that's still a pretty
> broad range of options... any help would be much appreciated!
>
>

> You're opening yourself up to huge potential liability if anyone ever steals
> these numbers. Basically, don't.
>
> http://usa.visa.com/merchants/risk_management/cisp.html
>
>
> On Thu, May 22, 2008 at 2:50 PM, Jessica Kennedy <
> police_kidnapped_your_children@...> wrote:
>
>> I need some help finding a secure way to store credit cards on a website I
>> am working on.  I know, I know you shouldn't do it unless you absolutely
>> MUST, but it looks like I absolutely must, sad to say.  I have to set up
>> reoccurring payments with credit cards that will notify the user if their
>> card is declined and lock them out of certain website features as well.
>>  Coding the above is not a problem, I am just very nervous about keeping
>> credit card information on anyone.
>>
>> I know the card #'s need to be stored encrypted, but that's still a pretty
>> broad range of options... any help would be much appreciated!

> Oh man,
>
> ("What copany is this for?")
> You guys are too funny.
>
> Serioulsy,
>
> I wouldn't get anywhere near credit card numbers. I did for one project
> and it scared the crap out of me.
>
> Let someone else worry about the entire process. Even if it costs the
> client a bit more.
>
> -----Original Message-----
> From: Phillip Vector [mailto:vector@...]
> Sent: Thursday, May 22, 2008 3:52 PM
> To: CF-Talk
> Subject: Re: credit card storage help
>
> Sounds like a management problem then actually..
>
> You may want to check out Shift4. They are pretty cheap and are pretty
> reliable. I used to work for them and trust me.. Security is #1 for
> them.
>
> If not, then you need to get on the phone with them and complain that
> they are assisting with fraud or whatever else you can come up with.
> That becomes a problem with the company.
>
> Either that, or store the cards on your site, encrypt them and hope for
> the best. I'd get in print someplace that your managers know they are
> taking a risk though and it's not your fault if you get hacked and all
> the credit card numbers are gone.
>
> So... What company is this again? :)
>
> On Thu, May 22, 2008 at 12:40 PM, Jessica Kennedy
> <police_kidnapped_your_children@...> wrote:
> > Cardservice international... they store partial card #'s for reference
> if I am not mistaken...
> >
> > they have a reoccurring billing feature on their website, the only
> problem is that once a person is entered into the reoccurring cycle,
> they will run the person's credit card over and over and stick us with
> the fees  regardless of how obvious it is the card is going to decline.
> >
> >
>
>
>
>

> When you talk to Shift4, tell them Joseph Bullock-Palser sent ya. If
> they say who is that, tell them it's the developer they fired 3 days
> before Christmas after he moved out to work for them.
>
> Good company for security, Pain in the neck HR rep.
>
> On Fri, May 23, 2008 at 12:47 PM, Jessica Kennedy
> <police_kidnapped_your_children@...> wrote:
>> so you're saying I shouldn't do it??? =)  ok, you convinced me... I was pretty nervous about doing that anyway... looks like shift4 will do what I need anyway.
>>
>> and for those of you in a similar situation, i would NOT recommend cardservice international for anything even vaguely large-scale.  not got at all...
>>
>> thanks for the advice about saving data as separate encrypted fields... I really don't have any choice but to collect some sensitive info so I will employ that technique... even if the data will only be on the database for a max of 20 min, i'm not taking chances!
>>
>>
>

> So how do ISPs and other companies handle storing credit cards?   I
> get regularly charged by several companies, not all of whom would be
> large enough to have dedicated IT departments.     Are they storing
> the card details and hoping for the best?
>
> I know there are big billing companies who would be expected to have a
> pretty serious security environment - Plimus comes to mind there - i
> have 3 accounts for different vendors with them -   but conducting a
> monthly business that bills clients monthly would be impractical if
> you couldnt store credit card numbers.
>
> For my own hosting company, I keep credit card details in a totally
> off-line system that never touches the internet. But without being
> able to bill monthly, hosting would not be viable as a business.   I
> would like to have a much better arrangement   - it's highly
> inconvenient having to bill the cards the way we do.   I'd like to be
> able to automate it some how.
>
>
> Cheers
> Mike Kear
> Windsor, NSW, Australia
> Adobe Certified Advanced ColdFusion Developer
> AFP Webworks
> http://afpwebworks.com
> ColdFusion, PHP, ASP, ASP.NET <http://asp.net/> hosting from AUD$15/month
> On Sat, May 24, 2008 at 5:54 AM, Phillip Vector
> <vector@...> wrote:
> > When you talk to Shift4, tell them Joseph Bullock-Palser sent ya. If
> > they say who is that, tell them it's the developer they fired 3 days
> > before Christmas after he moved out to work for them.
> >
> > Good company for security, Pain in the neck HR rep.
> >
> > On Fri, May 23, 2008 at 12:47 PM, Jessica Kennedy
> > <police_kidnapped_your_children@...> wrote:
> >> so you're saying I shouldn't do it??? =)  ok, you convinced me... I was
> pretty nervous about doing that anyway... looks like shift4 will do what I
> need anyway.
> >>
> >> and for those of you in a similar situation, i would NOT recommend
> cardservice international for anything even vaguely large-scale.  not got at
> all...
> >>
> >> thanks for the advice about saving data as separate encrypted fields...
> I really don't have any choice but to collect some sensitive info so I will
> employ that technique... even if the data will only be on the database for a
> max of 20 min, i'm not taking chances!
> >>
> >>
> >
>
>

>Lookup PCI Compliance you will see the recommended practices. You can store
>certain as long as you have data encrypted. As well as written policies that
>detail it and how you handle key management. I am working on a 3DES solution
>that will be alot cheaper than buying an nChiper or the likes for 25K.
>
>Eric Haskins
>
>
>
>On Fri, May 23, 2008 at 9:27 PM, Mike Kear <afpwebworks@...> wrote:
>
>>