Storing Credit Card Details

[Pino]

I'm about to take on a new project and one of the requirements of my client is that there clients enter there card details and then they are saved for future use, what re the legal requirements for storing credit card details?

Pino

[Hack]

Web application or desktop? (If web, you could be dealing with multi-national requirements)

Assuming you will be storing the credit card numbers in a database, what database will you be using, and who is responsibile for maintaining it?

What information about the credit card owner will also be stored?

Does your client, or your company, have a legal department?

[Pino]

Web application or desktop?

Web Application

Assuming you will be storing the credit card numbers in a database, what database will you be using, and

MySql

who is responsibile for maintaining it?

One of my customer employee's and myself who is the only one who will have access to the DB

What information about the credit card owner will also be stored?

Any information that the payment gateway will need for processing it so cardnumber/type/expiry/cv2

Does your client, or your company, have a legal department?

Nope...

[Hack]

Pino, my strong, STRONG suggestion would be to consult an attorney.

Have an attorney put together an agreement to help protect you and your company. The cost of doing this plus a mark-up should be the customers responsibility.

Then you should have a monthly upcharge to cover the additional cost of this service.

Considering the risk, I would make it rather large upcharge.

Better yet, have the client directly pay for secure hosting and have a lawyer put together something that completely removes you from any risk.

Just one problem resulting in a lawsuit can put you out of business very, very quickly.

In addition, I believe (I'm not sure, that is why you really need to talk to a lawyer) that in some places that a web app could potential reach, storing credit card information isn't even legal.

[Kasracer]

You need to get this information from the credit card companies (Visa, Amex, etc) as they have specific requirements (i.e. Visa and Mastercard explicitly say you cannot store the CVV anywhere as it should only be used for the transaction).

Each card company have details as to how it should be stored so I would start there. The biggest thing will be locking down the database so absolutely no one can access it.

In addition, I believe (I'm not sure, that is why you really need to talk to a lawyer) that in some places that a web app could potential reach, storing credit card information isn't even legal.

I don't think this is true otherwise Amazon and other companies wouldn't be allowed to save your credit card information but I would agree 100% to consult an attorney.

[RobDog888]

Whateven you end up storing will REQUIRE heavy strong encryption of all data stored in the db and the db protected from attacks. It is very risky to store cc data as even the biggest companies with a large IT staff get hacked so dont thnk that even with encryption you are safe.

IMO, storing any cc info is too risky and shouldnt be done unless you work at Amazon or some place like that lol.

[mendhak]

Going by Sarbanes Oxley compliance rules, you will need to make your database as secure as you can make it. Any intrusions and anomalies are by law required to be reported.

Additionally, credit card companies have together created a Payment Card Industry Security Standard which you should look up.

Some of the most fundamental points are that you use SSL, never display the information to anyone except those who need to know, never store the CVV; it is fundamental that you and all of your teammates read up on these rules, no matter how boring they may seem, before you embark on this project because the penalties for any slip-ups in this area are extremely heavy.

I've heard of a company where a developer had credit card information stored on his disk drive (backup of a database), the company was fined $5.5 million.

Your company should also have a "Sensitive Information Policy" that is not something set up by developers, it needs to be set up by accredited security experts and a few technical members of your team. Your sensitive information policy is what your company will use to prove that you are indeed following or are intending to follow a set of rules to adhere to compliance. If your company doesn't have one, then you should ask them to get one in place before this begins.

The implications of all this is going to be a review of your infrastructure in place(firewalls, antivirus, audit trail of access to the machines and databases, infrastructure tests scheduled, etc.)

[szlamany]

That "fully documented" policy that mendhak mentions is no trivial matter.

I've sat in HIPAA security meetings where it's been discussed that being able to produce a list of who was "hacked" is required. When the hack occurs you need to be able to contact those potentially damaged.

This can be accomplished using third party SQL tools that track who makes a query and what the query was for.

A quick google for "credit card sql database tracking security products"

came up with http://www.wservernews.com/archives/...-20050711.html

Credit Card Security Standard Goes Into Effect

Does your company take credit cards? Who doesn't! The bank that Sunbelt has its merchant account with sent our CFO some new requirements that all companies now need to comply with, or else face the consequences (fines), up to losing your merchant account. That was interesting to hear in the light of all the database record thefts these last few months.

First they sent us to a site called trustkeeper that allows you to fill out a survey which shows if you comply or not, and then they will scan your systems four times from the outside-in to see if you are vulnerable for attacks. Filling out these 75 questions was interesting, and showed that we were doing fairly well but we failed on a few smallish points. We're correcting these.

It was also interesting to see that they now require that you have event logging software that shows all login attempts whether successful or not, that you need to back up, secure and retain your audit logs for up to a year, and that if you don't do vulnerability scans that you fail the test as well? And those are only three questions out of the whole battery.

If you have been looking for good reasons to finally get your security budget approved, I could not get you better ammo than this. There is a product that I strongly recommend if your organization accepts credit cards and now needs to comply: Sunbelt Network Security Inspector. It scans for thousands of (multiplatform!) holes in not just Microsoft applications but also popular third party tools that become more and more the target of hacking attacks.

One of the health funds I work with had a Washington DC security consulting firm come in to review all aspects - firewalls, physical security (the facility itself!), all manners of authentication protocols - what you do with old disk drives. How you deal with off-site and consultant access - copies of databases for developers to work with.

When a raid drive dies and it's under warranty do you think that you are sending the damaged unit back to Dell, for instance, when they ask you to? You cannot...