In order to compliance with PCI standard

baoyc · April 8, 2011, 12:00am

In order to compliance with PCI standard, CS-cart is prohibited from storing CVV, CVV2, CVC2 & CID under any circumstance.

[URL=“Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards”]Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards

kickoff3pm · April 8, 2011, 12:00am

[quote name=‘baoyc’]In order to compliance with PCI standard, CS-cart is prohibited from storing CVV, CVV2, CVC2 & CID under any circumstance.

[URL=“Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards”]Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards

As a user of creloaded and some other carts along with cs-cart I know cresecure already provide a PCI service for cs-cart site. What this is replicated payment page that conforms to PCI standards. Sort of bridge between your site and your choosen payment processor.

I also know that they will soon be changing their fees and even giving a free service to low volume store owners. So something to look into ?

[url]https://www.cresecure.com/pages.php?pID=7&CDpath=0[/url]

tbirnseth · April 8, 2011, 12:00am

[quote]

prohibited from storing CVV, CVV2, CVC2 & CID under any circumstance

[/quote]

This has been a requiement of all major credit card providers for forever (prior to PCI). Just no one followed it and no one enforced it.

pbannette · April 8, 2011, 12:00am

Hi,

I decided to use Cre secure to avoid storing or even collecting CC info on site. I also use Amazon Payments, PayPal Express and PayPal Standard. All of these methods will avoid storing cc info on my cs-cart site.

I also stopped taking phone orders and processing QuickBooks payments from my home . The PCI compliance requirements for my home computer and network was not worth the expense and trouble. In most cases, I did not even understand what I was suppose to do.

I do have an ssl certificate and even though the processor I use said I did not have to do scans, I still do them. They don’t cost too much and it checks up on cs-cart and the host. I still allow account creation and want this secure. At least I don’t have to scan my home computer anymore.

Bob

baoyc · April 12, 2011, 12:00am

Let’s make it happen. I still feel uncomfortable to store user’s CVV2 code.

clips · April 19, 2011, 12:00am

I’m still a little confused by this. From what we can “see” there is no cc information being stored for any of our customers.

We currently have our “order statuses” set up to “remove cc info” as soon as a customers order is processed. So as soon as the customer’s order is placed and it is approved by our payment gateway the customers credit card information does not show for us and shows as a bunch of XXXXXX and the last 4 of the cc. It even makes the cvv2 number as x’s. So we do not store anything that I can see and I know that none of my employees can see any customers credit card information either. Is this information still being kept on my server someplace else?

tbirnseth · April 19, 2011, 12:00am

No, you are explicitly telling it to zap all the cc info. But consider a recurring payment. The cc number, expiry, name, etc. must be kept to charge at the recurrence. However, the cvv2 code is not ever supposed to be stored. I believe that is the one area where cs-cart is out of compliance and was out of “policy” long before PCI ever got defined. It has always been CC vendor (Visa, MC, Disc, AmEx) policy and terms and conditions of use to never store any cvv code or other mag-strip info other than cardholder name, number, etc.

clips · April 20, 2011, 12:00am

So if you are doing the recurrence charge wouldn’t you just uncheck the cvv2 in the “admin>>credit cards” and then the customer would not have to give it at all? At that point we would just log in to our payment gateway and not “require” the cvv2 and then we would not need it to process payments.

I’m also not so sure that “baoyc” is wanting to do the recurrence. They are selling jewelry. I am thinking that some people may be trying to process the cc off line and would need to store the cvv2 or if they only “authorize” the payment do they need the cvv2 to do the final capture later? We do “authorize and capture” as the majority of our orders ship out pretty fast. So once the customer is charged we have no need for their information and prefer to not ever see it and without a doubt we do not want to store anything. So the faster it is zapped, the better…for everyone.

tbirnseth · April 20, 2011, 12:00am

all I know is that the policy of the CC vendors has always been “Never store cvv info”. You can process a card without it, but some processors use a higher transaction rate when it doesn’t exist due to the higher fraud risk.

And PCI explicitly requires that it not be stored.

CVV2 is intended to prove that the user of the card is in posession of the card (in lieu of no magentic strip). However, it is rarely required to process a transaction. But like I said above, a transaction might be slightly more expensive without it.

baoyc · April 20, 2011, 12:00am

tbirnseth is right. PCI requires that CVV code can not be stored any time, even when CVV code is encrypted.

as far as I know, recurrence does not require CVV code to process and the only difference is that a transaction might be little bit expensive without it.