Stephen Russell wrote: > On Mon, Dec 15, 2008 at 3:52 PM, Leland Jackson <[email protected]> > wrote: > > >> I capture all credit card transactions to a postgreSQL database, and use >> directNIC to certify my identity and for SSL encryption. I am allowed >> to maintain credit card numbers in transactions save to my PostgreSQL >> databases, but it is illegal to retain the PII, (eg Personal Identity >> Information number), which I pass to the Echo gateway to verify credit >> cards, but do not capture anywhere in my system. The initial >> transaction is submitted to authorize a transaction. If the >> authorization completes, I can deposit the authorization to my bank in >> California with a few button clicks, once items are shipped and/or >> electronically delivered. >> >> http://www.echo-inc.com/payment_gateway.html >> >> > ------------------------------- > > You can save the entire card # in a non masked sense? Something > doesn't sound right about that. At lease with 5 third bank you > couldn't. > > > >
There are a number of measure in place to protect both me and the customer. I use a high level AVS code to verify the identity of the customer before a transaction is authorized. An authorization does not charge the card. It just indicates that the name, address, zip code, and CVV2 number, (eg a number also known as the "Card Verification Value", which is a 3 or 4 digit verification number found only on the back of the card itself), match against other source of information; before, the transaction is authorized. Once items are shipped or delivered electronically, a deposit is made to my account against the authorization, and a corresponding charge is made against the customer's credit card. It is illegal to retain any record of a customer's CVV2 number. The normal PostgreSQL user, that all customers use once they are log into the system, has very limited rights as to creating, viewing, and deleting transactions or creating databases. A customer of the shopping cart can log into the system and pull up transactions on his/her account, but the system will only allow the PostgreSQL Database Administrator to access credit card information, or other sensitive information. All email confirmations, sent to the customer across the internet, about transactions processed in the shopping cart are masks to show only the last four digit of the CC number. Echo also maintains a short history of transaction, (eg 30 days), including CC number, so I can log into Echo, that uses a PostgreSQL database, to view transactions, to make charge back, or to make other modifications, if necessary. I use foreign key constraints within all databases to force referential integrity throughout the system, and database transactions that contain CC numbers do not contain customer information, but rather only a primary key reference back to another database that contains the customer information. All the other usual measure are in place as per http://en.wikipedia.org/wiki/PCI_DSS link. My situation does not pose a great threat; because, I do not process a high volume of transactions. It is not unusual for a company that does business over the internet to have credit card information on hand. I pay most of my bills electronically and have my credit card information on file with companies like AT&T, suddenLink, Cirro Energy, Atmos Gas, Mwave, and who knows who else. LOL Regards, LelandJ _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
