在线信用卡存储? [英] Online Credit Card Storage?
问题描述
我即将继承并在一家设计不佳的小型企业零售网站上工作。其中最令人担心的是目前的信用卡处理。
I am about to inherit and work on a small business retail website that is very poorly designed. Among other things, the greatest concern is with the current credit card processing.
目前,业主从一个从...获取信用卡信息(姓名,号码,CVV2和截止日期)在线订单,并以MySQL数据库中的纯文本格式保存所有信息。然后,通知将被发送到他有人订购的电子邮件。此后,他有一个行政后端页面,他查看他用自己的商家离线处理的订单和信用卡信息。
Currently, the owner retrieves credit card information (name, number, CVV2 and expiration date) from an online order form and saves all of that information in plain text within a MySQL database. A notification then gets sent to his email that someone has ordered. Thereafter, he has an administrative back-end page that he views the orders and credit card information which he uses to process offline with his own merchant.
从后端页面,信用卡号和CVV2立即被删除(PHP脚本自动调用)。如果该页面在7天内未被访问,该信息也将被删除。因此,在事务处理之前,所有信息都可能以纯文本形式存在七天之内。
After retrieving the information from the back-end page, the credit card number and CVV2 is immediately deleted (PHP script automatically called). The information is also deleted if that page is not accessed within 7 days. So, there is a potential for all of the information to be in the database in plain text for seven days before transaction processing.
这似乎不是一个好的设计和可能是非法的。如果这是非法的,我将不得不把它打破他,因为他还没有意识到。
This does not seem like a good design and may be illegal. If it is illegal, I am going to have to break this to him, because he does not realize that yet.
我的问题:除了不安全,这是非法还是违反使用条款(PCI DSS)?如果是这样,我怎么能证明这一点,让他改变自己的方式(显然我不想把我的手放在非法的手中,而且有时使用条款的措辞也可以看起来是主观的)?最后,解决这个问题的最佳选择是什么(第三方在线商户,符合PCI DSS或其他)?
My question: Besides being insecure, is this illegal or a violation of terms of use (PCI DSS)? And, if so, how can I prove it to him so that he will allow me to change his ways (obviously, I don't want to put my hands into something that is illegal. Also, sometimes the wording of terms of use can seem subjective)? Finally, what are the best options for fixing this issue (3rd party online merchant, becoming PCI DSS compliant, or something else)?
推荐答案
p>这违反了PCI DSS。不仅存储您不应该存储的信息(CVV),而且不加密信用卡号(也是违规)。
That is a violation of PCI DSS. Not only are you storing information you aren't supposed to be storing (CVV) but you're not encrypting the credit card number (also a violation).
更糟他违反了Visa和万事达卡指南,规定所有在线交易必须使用ECI兼容设备或软件进行处理,而互联网订单必须有一个单独的商家帐户。他们的信用卡终端绝对不符合ECI标准,因为没有。他们需要获得一个新的商家帐户,并使用像Authorize.Net这样的支付网关来处理这些订单。
Even worse he is violating Visa and MasterCard guidelines which state that all online transactions must be processed using an ECI compliant device or software and Internet orders must have a separate merchant account. Their credit card terminal is definitely not ECI compliant as none are. They need to get a new merchant account and use a payment gateway like Authorize.Net to process these orders.
修改
由于我怀疑网站所有者实际上会打扰获取新的商家帐户或实施支付网关,最好的方法是使用双向加密来存储此信息。然后确保他们用来检索信用卡信息的页面是加密的(SSL证书),以便信息是端对端的安全。
Since I doubt the webbsite owner will actually bother to get a new merchant account or implement a payment gateway your best bet is to use two way encryption to store this information. Then make sure the page they use to retrieve the credit card information is encrypted (SSL cert) so the information is secure from end-to-end.
我强烈建议一个互联网商户帐户,并使用像Authorize.Net这样的支付网关。除了符合PCI和ECI标准,只是智能的方式,企业的潜力不仅仅是失去了他们的商家帐户,而且被黑名单和禁止从来没有真正的商家帐户再次是非常高的。所有它需要的是一个退款,他们的商家帐户提供商意识到他们正在做什么和麻烦开始。
I highly recommend getting an Internet merchant account and using a payment gateway like Authorize.Net. Besides being PCI and ECI compliant and just the smart way to go, the potential for the business to not only lose their merchant account but to be blacklisted and prohibited from ever have a true merchant account again is very high. All it takes is one chargeback for their merchant account provider to realize what they are doing and for the trouble to start.
这篇关于在线信用卡存储?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
