(no subject)

[nonethefewer]

Gah.  I need to find information on the laws in the US, and in Oregon, for how businesses must store credit card data in their databases -- encryption, length of time, whatever the hell.

I'm in the process of Googling this now, but if someone happens to know off the top of their head where some good info is, that'd be awesome.

Unrelated project: syncing Firefox's custom dictionary between computers.

Originally posted on Dreamwidth.  Number of comments so far:

Comments

[kyburg.livejournal.com]

Well, that *sort* of falls under the EDI baliwick - largely, you don't want to store it.

I would go directly to the credit card processors and ask them.

[whip-lash.livejournal.com]

What you want is the PCI DSS (http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard).

If there is any way to avoid having to comply with that (like outsourcing to a vendor), I would. It's an unbelievable, detailed pain and requires outside audits quarterly, as I recall, if you're storing the data.

[the-xtina.livejournal.com]

We have already gone through such utterly painstaking bullshit in complying with that, it's unreal.  :P

[tisiphone.livejournal.com]

This is actually governed by a standard rather than a law per se, it's the PCI DSS standard. (There are laws in some jurisdictions, but PCI DSS will be stricter than them and if merchants don't comply they lose their ability to accept credit cards, so that's the relevant regulation.)

[sinboy.livejournal.com]

The basic answer is, you don't. You find a licensed company to do it for you, and then contact them when you need those cards on file charged. That's how my company sets things up for merchants we deal with.

Why would you want to do it yourselves? It's expensive, puts you in danger of massive liability, and can only be profitable if you're processing huge amounts of credit card sales. If you're not processing thousands of sales a day, you're going to loose money just from the set up and maintenance costs.

I can put you in touch with my boss, who I think might spare some time to help you, as he's been dealing with this stuff professionally for a while. Let me know if you's like that.

[sinboy.livejournal.com]

My boss confirms - the only people who store credit card numbers in databases do this are companies who's business it is to do that for other businesses who are not specialized. Unless you're a payment processing company, you don't store credit cards.

If you contract with a company who is a payment processor, and they do it for you. You would hire someone to write an interface to get tell the company holding the card numbers to charge them, and send the money where it needs to go.