|
|
Posted by Robin Vickery on 02/02/05 13:45
On Wed, 02 Feb 2005 01:24:18 -0500, Angelo Zanetti <binc2@cput.ac.za> wrote:
>
> Does this setup sound secure enough and a solution that can work?
> What kind of encryption should I be using?
>
> Point out any areas where you think I might be missing something or
> going wrong.
Take Richard's advice and don't do it - Any decent Merchant Service
Provider should give you a method of placing recurring charges, which
would take most of the responsibility and liability out of your hands.
If you're even thinking of storing credit card numbers you should have
already read and be familiar with the PCI Data Security Standard.
http://www.visaeurope.com/acceptingvisa/pdf/PCI_Data_Security_Standard_1_0.pdf
You'll have added up the costs of not only building all that, but also
the costs of maintaining it, the continuous monitoring, the (at least)
quarterly vulnerability scans, incidence response plans etc.
You should also know the risks of not following the cards security
policies; last time I looked, Visa's compliance penalties were $50,000
for a first offence and $100,000 for subsequent offences, plus the
risk of being permanently barred from holding a merchant account.
You must also have considered what effect it would have on your
business if you have to inform all your customers that their credit
card details have been compromised.
Storing card details is a high cost, high risk solution. Unless you've
a *really* good business reason for doing so that you've not
mentioned, it's not a good idea.
-robin
Navigation:
[Reply to this message]
|