Avoiding the issue are we?


Ho Ho Ho

I think that you are meant to delete them when you have finished with them. That is one of the reason that I use worldpay - I don't like the idea of being responsible for peoples credit cards details.

Regards,

You might be breaking some laws. I'd guess it probably depends on how well your PC is protected. I'm sure of course that a security minded person such as yourself doesn't allow anonymous login to the admin account on your PC.

Mike

PS. I'm like Jan and use a PSP for peace of mind. I never see any credit card details and all I can do post-purchase is a refund.

Hi George

Not at all

With regards to your question about breaking the laws, i have not seen this written anywhere at all. At present we are investigating into the whole username/password dialog for version 7.

As Mike said, you can product your pc by not allowing anonymous login, or you could go one stage forward and set up a BIOS password to prevent unauthorised access to your pc from bootup.

Kind Regards

On the same issue, is the credit card data encrypted in the database. It's no use locking access to Actinic if the back door is open.

Mike

Hi Mike

The orders are encrypted on the website, but when you download the orders, they are decrypted, therefore plain text within the access database.

Kind Regards

Kind of what I suspected. If someone managed to hack into your PC and download the database then they'd have all the customers details including address and credit card data.

Personally, I think the CC data should be encrypted in the database. But not everything please as access to the database is important for accounting and stock control.

Mike

I don't see the problem with this. If anyone used my Card fraudulently i'd just tell my Card company and they would get the money back for me. (we'll thats what they say).
________
Mark x

Dee - Thats EXACTLY the problem! If someone was to steal your database of customer and credit card details, the defrauded customers could get their money back - from the RETAILER at fault. Thats you and me!!!

They wouldn't get their money back from the retailer whose database was stolen, but any fraudulent purchases made would be recoverable from the retailer who supplied goods or services paid for with the stolen card details, so I think it's important that we all have good security procedures in place to try to detect potentially fraudulent transactions when accepting orders.

It's not just your database you have to worry about being stolen though - if you print a Data Entry Report or Invoice, this also contains the card details, and the banks insist you retain all documentation relating to card transactions for 6 months. (Not forgetting Inland Revenue & VAT who expect you to keep 6 years records, including "all invoices, sales slips, delivery notes, purchase orders and correspondence relating to sales"). Then of course there are telephone and mail order transactions to worry about as well, so a secure filing system would be required for all the paperwork too! (and a good shredder to dispose of all the paper safely when it can eventually be disposed of!!)

At least if your database is stolen, and you are aware it has been, you should be able to restore it from a backup, which would let you supply the police and PSP with a list of compromised cards which could then be stopped to prevent them being used.

We suggest Authorize.net payment gateway. We never receive a credit card at all from any transaction completed through the web site. The gateway accepts clears and processes all payments and all we see is an authorization code. SO there is no issue with insecure databases holding credit cards. If a real time payment gateway is not an option I would suggest that you consider accepting cards securely using the actinic software and immediatly after processing the transaction through your credit card terminal remove the transaction from Actinic and purge all orders. This will remove data which should be secure from the actinic dataabse. You should also take proper access control proceedures for your computer to protect customer data.

Now I know no one has ever read all the fine print that comes with a merchant account however if you accept visa credit cards then your a member of Visa merchants and bound to the terms of the visa merchant agreement which has very detailed requirements for the handling and processing of credit cards. I suggest a day of Research is needed to review the visa.com web site ane lean more about your obliagtions as a merchant. And btw if your database is hacked and your cleints credit cards are exploited because of your merchant data processing proceedures you as the hacked merchant are liable for the purchases made through your security loop hole. As well you can be fined ( in the US its 25k for a negligent breech).

Care should be taken with holding and storing credit cards. At the end of the day its your ass if things go bad. Read all about internet merchant processing and verified by visa to protect yourself.

Brian

Yep, using PSPs gets my vote too.

People complain about the cost, but to me the time taken to manaully process cards has to add up to more than the PSP charge, and not having the security issues of holding CC detail on a PC is crucial.

I had never actually thought to much about CC details and small businesses who use their own CC processing. I shall certainly bear this in mind when ordering in the future. Just imagine a small business running actinic on a laptop....and the laptop stolen whilst its owner is on a train or in a shopping centre or just walking down the road.

Maybe the data protection act should be added to this discussion too...

A very good reason not to upload your raw database to your website as a backup!

PSP's have always being how I advise clients to go. What happens if the whole PC is stolen?

You should be registered with the Data Protection Register if you process any personal information.