I have a lot of repeat customers who would like to have their credit card data stored, but my old cart didn’t have this functionality. Needless to say I don’t want to go into this lightly.
I use PayPal Website Payments Pro and an SSL certificate.
Apparently they offer a PCI scan service-
[url]https://www.paypal.com/pcicompliance[/url]
Does anyone use the “allow users to store cc data” feature, and does it work like I think it does - allowing logged in return customers to check out more quickly?
Second, is this safe if I implement it with WPP and their scan service?
Are the cc #'s visible in the admin tool (assuming you have set the order statuses to clear the cc info correctly)? I would hope not.
My customers would love this but I don’t want to jump into anything.
Thanks in advance.
We don’t store anything because it opens up a huge “can of worms” on being PCI compliant. Not to mention, we are a small mom and pop that really doesn’t want to take the risk of hackers getting customers cc information. If the hackers are getting in to the “big” sites, then there is a chance they can get in to mine. If they do, I want little or no information there for them to get.
I would strongly urge you to not do this.
For starters, you will not be PCI compliant (which is a major requirement of most processors these days). Second, if anything were to happen to your data, most mom & pops do not have the financial backing to allot for issues arising from stolen credit card #'s, unauthorized transactions, etc.
I also believe that most repeat customers would not want their credit card information stored anyways. They know when making an online purchase they will need to enter in their information. You may be saving them some time by storing their cc data, but that benefit is miniscule compared to the alternative.
Hope this helps.
Yeah, it sounded like a minefield - I won’t do it. In my case, I have a large percentage of wholesale customers and they expect me to retain their card numbers. It’s the norm in this business, but I bet these suppliers have it stored in a file someplace which is a huge no-no. I don’t keep #s even on paper in my locked office, should some meth-head break into my office and go on a shopping spree on my customers’ cards.
My understanding is that there are some merchant accounts that store it on their end and let the customer charge it again. PayPal WPP actually does store it. I can manually pull up a recent order in PP and if they wanted to add to their order or add rush shipping I can do it through there, without us having access to the actual #.
It would be nice if we could just hook back into that if the customer opts-in. Like when I shop online at the Gap, I don’t have to haul out my card.
[quote name=‘lauraluc’]Yeah, it sounded like a minefield - I won’t do it. In my case, I have a large percentage of wholesale customers and they expect me to retain their card numbers. It’s the norm in this business, but I bet these suppliers have it stored in a file someplace which is a huge no-no. I don’t keep #s even on paper in my locked office, should some meth-head break into my office and go on a shopping spree on my customers’ cards.
My understanding is that there are some merchant accounts that store it on their end and let the customer charge it again. PayPal WPP actually does store it. I can manually pull up a recent order in PP and if they wanted to add to their order or add rush shipping I can do it through there, without us having access to the actual #.
It would be nice if we could just hook back into that if the customer opts-in. Like when I shop online at the Gap, I don’t have to haul out my card.[/quote]
Look into Authorize.net CIM module - It’s exactly what you need but without CS-Cart integration.
I also recommend that you do not allow customers to store credit card data. You could try CRE Secure for CS-Cart. This greatly reduces your PCI scope by handing the credit card data on their server.
Nothing in PCI compiliance about storing CC data. As long as it's encrypted and access to unencrypted is SSL it is allowed.