I\'m overhauling our absolute time-bomb of an order processing system that would
ID: 662028 • Letter: I
Question
I'm overhauling our absolute time-bomb of an order processing system that would put us out of business tomorrow were we audited for PCI compliance. It's so amateur it's scary.
I'm planning on making a case to the higher-ups that the liabilities of storing CC information outweigh the conveniences of not having to re-ask the customer for numbers, but I know I'm going to get asked how vendors like Amazon and such get away with storing information for repeat purchases, and I have no answer to this.
So, how do vendors like Amazon and everybody else who bills monthly authorize future charges without storing things like CVV info, which is expressly forbidden by PCI DSS v3?
I read elsewhere that tokens can be created and stored in lieu of stripe info, but isn't possession of a token representing the contents of the stripe just as valuable as the stripe info itself? Anybody with possession of the token could make fraudulent charges, so who cares whether they have that or the actual CC/CVV info?
Or is token conversion just a way of saying "we're not storing the actual PAN/CVV" and passing along regulatory compliance issues to whoever issued it?
Explanation / Answer
It's been a few years, but when I was doing ecommerce (including one job for a large company that had previously been storing thousands of credit card numbers in plaintext), my preferred method was using Authorize.net's CIM service (other providers have similar services, that's just the one that I'm most familiar with; shop around for the one that works best for you).
The way that it worked was that you sent the info to the processor and they returned a token. The token is safer than the actual card data because it is only good to charge that card to your account using that one processor. Someone couldn't take the token and use it elsewhere, and if they did get it, all they could do with it would be to make bogus charges from you, which would put money in your account and make you look bad, but you could refund the money and cancel the tokens and no real harm done except temporary inconvenience - no money lost to the bad guys and no need to replace the card.
If the recurring charges are consistent and scheduled, some other card processing services let you set up subscription plans, where you initially send the card info along with a plan description of how often to bill how much. Thereafter, you can cancel the plan, but you don't have either the card info nor a token, so you can't accidentally charge them (as you could with a token) or lose their card info in a breach.
Never ever store CVV in any way, that is strictly forbidden. You don't need it at all, and having it is a huge liability. You should not need to store anything except at most a token or subscription id. The last 4 digits and card type (visa/mastercard/etc) may help customer service, but not really necessary.