Re: FN-FORUM: PCI DSS Merchant Compliance -(All sites have to comply by June 30, 2005)

date posted 30th July 2005 20:36

craig - freelance web designer [EMAIL REMOVED] wrote:

> {{THE PICTURE}}
> My client owns a high street shop and requires an online e-shop to
> support the shop sales. He has made it clear that he doesn't want to use
> paypal or a worldpay system, as he has a merchant account which he uses
> in the shop.

AIUI, the merchant account the bank will have issued for the shop will
be for customer present and telephone sales. I don't think the bank
would generally be too pleased with you taking internet based orders
and manually processing them (yes I know there are people doing this),
you're supposed to obtain a separate internet merchant account for that.

Unless things have changed.

> {{MY HOSTING PROVIDER STATES}}
> Accepting online payments via credit card must be done securely. It
> is not adequate to take credit card details via SSL then to email the
> results to yourself or the administrator. There are at least three
> issues with this method:

Good to see people taking a sensible approach to card security.

Yes, what is the point of transmitting card details over SSL and then
transporting them in cleartext non-SSL SMTP. Potentially ending up
with card details stored unsecured in mail queues and perhaps bouncing
around when email systems don't quite work as they should.

-Paul-

--
Paul Civati 0870 321 2855
Rack Sense Ltd - Managed/Business hosting - www.racksense.com
RackRed - Value SSL certificates and servers - www.rackred.com