This is definately a must have feature. But for those of us who process details offline it would be best of you could delete cc details up to X date.

Nadge - have just suggested from the other thread Malcolm start a thread in the wish list section .. and he already has

... or the ability to retain possibly the last 4 digits and "X" out the rest ... this could aid in finding transactions

Not too sure on that one - I only looked into the regs as far as they applied to the way Actinic works, but the general message is no details of any kind can be stored.

I know many banks are stamping out the practice of processing website transactions offline for this very reason. I think that soon PSPs will be the only method for websites.

This would be a good idea - I wouldnt like to remove the number completely for fraud reasons and ID. My epos software takes the last four out and thats perfectly legal.

Paul.

I think you're right. Cardnet contacted us recently and said offline processing of web orders breaches their terms and conditions, and gave us 2 months to set up an internet account or they would withdraw our service.

We've now set one up with Protx and find that the time saved not keying in card numbers more than offsets the small extra cost.

However, for those still processing offline, there is a requirement to store the sales slip or invoice, along with the card number, for at least 18 months after order completion, so before shredding or deleting the card details it would be wise to print out a copy of the invoice and file it safely and securely.

Chargeback letters only give you the card number, date and amount of the transaction, so if you haven't stored the card number along with the invoice or sales slip you will not be able to produce these documents to dispute the chargeback. The only specific requirement, according to Cardnet, is that the security code is destroyed immediately authorisation has been obtained.

The details are actually on the Data Entry report rather than the invoice - so this would be the thing to save.

Thanks for all the suggestions and votes here. Lots of food for thought.

The data entry reports includes the CV2 number, which you are not supposed to be retained under any circumstances (printed or electronically).

This is a serious issue.

Actinic have taken the right initial steps with encrypting the database, but security issues need tightening up further, and urgently.

Maybe a condensed cc report would be possible, with just a couple of summary lines per order, and minus the CV2. Run between selectable dates (monthly for example), this could be retained, and the original data entry reports shredded once payment has been taken.

I don't actually think there is a lot of benefit to retaining the data entry reports anyway, as I doubt these would be acceptable to back up any chargeback claim. The terminal receipts are the only thing the card companies want, and even these don't actually offer much if any, of a retailer defence against a chargeback!

We have successfully used the data entry report on more than one occasion to defend a chargeback claim. Until we went over to online payment, we printed out the data entry report, entered the credit card details into our shop terminal, and when authorisation was obtained, obliterated the security code and deleted it from the order record in Actinic.

The data entry report gives full details of the order, including delivery name and address, and the message sent with the order - it's amazing how many people suddenly remember that they sent flowers to somebody when they are prompted with the recipient's name. We find that this, along with a signed delivery receipt, enables us to dispute most of our chargeback claims, leaving us only bearing the cost of of the truly fraudulent ones.

You can already do this, although currently it is a manual process (I think I'll add a batch order processor to my automation product though, it would fit well), if you put a * at the start of the number the rest is then ignored, so you can replace the whole thing with a star or you could have * and the last 4 digits for indentification purposes.

In V8 you have the option to switch on login and to encrypt credit card details, which I believe should then meet the legal requirements. (V7 also meets the legal requirements so long as you manually remove the card details when order processing is complete).

Regards,

It may match the legal requirement (I'm not sure whether it does or dosen't), but retaining a printed data entry form, complete with CV2 is in breach of the credit card companies rules.

A copy of the order invoice and the terminal slip (which you need to retain anyway) does the same job, and does not include the CV2.

Reading my Cardnet Operating Manual, under Data Security, it states:-

"Storage of cardholder information

The following information must not be stored after receiving authorisation for a transaction under any circumstances:
* Information stored in the magnetic strip that facilitates card processing.
* The Card Security Code (CSC) or CVC2 (the 3-digit number indent-printed on the signature panel and used for mail order, telephone order or Internet transactions)

ONLY THE INFORMATION THAT IS ESSENTIAL TO YOUR BUSINESS, FOR EXAMPLE, NAME, ACCOUNT NUMBER OR EXPIRATION DATE, CAN BE STORED. THIS SHOULD BE KEPT IN A SECURE AREA LIMITED TO AUTHORISED PERSONNEL."

So, as long as the security code is destroyed after authorisation is obtained, all other information relating to the cardholder and card may be retained so long as it is stored in a secure area. I would take this to mean, for paper records, a locked filing cabinet or storage cupboard, with, preferably, access only available to the business owner or manager.

The manual goes on to say that, with regard to electronic storage of cardholder data, special rules apply, and any merchant intending to store such data should contact Cardnet for further help and information.

I still think, however, that online processing with a PSP is the way to go for all businesses nowadays, as the consequences of any security breach could have immense repercussions on the business. In fact, any trader who is still downloading orders with credit card details for manual processing is in breach of their merchant terms and conditions, which brings me to the next question:- should Actinic still be providing the ability for merchants to use this procedure? Perhaps the way ahead is for Actinic ( and other shopping cart system providers) to take the lead and make the decision to phase out this option over a reasonable period of time, say, one year, to give existing users time to make the necessary arrangements.

So wrong, how can this be done when the software can not even do VAT rounding properly, we have to do manual transactions onto our main server for order processing.

We use SSL to capture all our credit card details, and my PC is in an office with key coded door. Nothing wrong with this i believe.

The option should be in actinic to run a remove CVV details between dates X & Y or remove all card number digits except for the last 4 between dates X & Y.

With the encyption now avaliable i think you will also find that this means the information is not held in any clear form on the PC either. The main problem is what do you do with the printed information - not do away with this option.

How many people taking mail orders write the card details on a post-it or bit of paper when in a hurry. This is were most of the fraud comes from as they just get discarded, proper documentation is always treated a bit different and nearly always read before being thrown away, most of the problems are down to educating people how to handle sensitive information.

Just my bit
Darren

I think that you will find that this is the only "legal" method and has been for some months now. I am not suggesting that Actinic stop thier SSL as many of my sites use it, only that we have the option to delete the card info.

From what I can see, the level of security and compliance with the PCI DSS varies according to the number of transactions you do. Look here http://www.secpay.com/secpay/index.p.../full/267.html and scroll down a bit.

If you do less than 20,000 credit card transactions per year then PCI DSS is only a recommendation, not a requirement.

So using a PSP is the only sensible way to be taking payments these days, but as far as I can tell it's not a legal requirement.

Mike