Sounds to me like you are setting things up to capture credit card details yourself and then process them. This is not PCI compliant and has not been since April. I'd suggest using a PSP where this will all be done for you and you will also be PCI Compliant then.

Hi leehack

I have seen your reply to questions about taking card details before. But I am unsure about it still.

What we do is take such details from customers (via SSL) and only process the order payment when picked and ready for collection or delivery. It can be the case that some items may be out of stock (it is impossible to link or store stock levels as we are a food retail store), so the charge sometimes is less than expected by the customer.

If we process the cards online instantly we would be doing a lot of refunds and in some cases because the expected delivery or collection can be more than a week away for the customer or buying group we feel its unfair to charge customers before the despatch date.

Having said the above I think, and you may correct me PCI compliant is about the card data not getting into the wrong hands.

In my view and what we try to practice is to destory card details on the 'Data entry form' printed from Actinic. In fact to make it easier for us and to the keep customer address and delivery details I have moved the card details to the bottom of the form using Crystal reports so we can cut off and shred that part. I on a regular basis delete customer details off the order tab in Actinic. (what I would find useful is a automatic way of just deleteing the card details so we do not lose the other information for customerb questions and the like. Is this possible?).

So is this ok - is using SSL, destroying the data. If so (or not) I think it needs to be made clearer when installing/using Actinic and also change the reports as we have done.

John

Ps
The card processing is done as customer not present via a card machine.

You can do a pre auth with a PSP, this checks the card but does not take the payment, when you ship you take the money

You are only partly right, actually what you have said is a small fraction of pci-dss. You can tale credit card details but if you do you have to comply with the rules of the scheme and be checked, Actinic is not PCI compliant software so you would fail.

to make actinic compliant it would basically need to have authorised users with special unique passwords and the credit card data stored would need to be encrypted, probably with a 256bit encryption, normally split into two pass phrases that no one person knows both parts of.