01-21-2013 09:51 PM
We are building a system where our clients will be using CIM to store customer payment information. There is a process I have been thinking through and I'm hoping someone can give me some input on whether this approach is PCI compliant or not.
Our clients often store their customer's payment information in a very insecure way. Many have it written down and stashed in a drawer at the front counter. This system will give them the capability to funnel their customers through an online portal and handle all the recurring transactions using CIM. They will have the ability to add new customers (in addition to customer's being able to sign themselves up), but part of the process is adding the customer's credit card information. The initial plan was to let them add the credit card information for the customer (if they have it of course), but I don't want to implement a process that could put myself or my clients in jeopardy.
Is there any compliance issues with this approach? Should I not allow them to enter their customer's credit card information?
01-24-2013 10:22 PM
If you're using hosted CIM, your site avoids stringent PCI compliance requirements. You still need to implement basic PCI compliance, however (not having vulnerable things installed, keeping track of who has access to the site, not leaving passwords lying around, etc.), since someone who compromises your site can just redirect the customers to somewhere that isn't Authorize.net and steal credit card data that way. Sadly, official compliance is next to impossible without expensive hosting designed specifically for it, so unless this is a corporate system and you can afford the overhead, it's often easier to just secure things as best you can and then eat the fine if you fail the security scan. You'll still be far more secure than what you're doing now, in terms of -actual- security.