Information Security
pci-dss credit-card
Updated Mon, 23 May 2022 05:44:38 GMT

Dealing with credit card data that is not charged directly


I have a client who is a reseller for vacation packages. For years they've had a payment form on their site where the end user would fill out their credit card data and the information is emailed to the reseller. BAD... I know. The only security they had implemented was the page was SSL.

The client then signs into their wholesaler account and charges the card there.

As a new client, we told them this is bad and needs to be handled differently.

So my question is, what would be the proper method for temporarily storing credit card data? Or do you know of a service that the full credit card data can be passed to but not charged and is secure, PCI compliant? They'd have to sign in to view the credit card, and then charge it via their wholesale account.

I really don't want to store credit card data in their website's database... I inquired, asking if the wholesaler provided them with silent post options, or am embedded form they can use.

I looked into Stripe but it stores the card as a token.

Any advice is much appreciated.

I just honestly think this whole request from my (potential client) is out of whack and I want to make sure we handle it correctly, securely, and properly.




Solution

Well if your wholesaler does not offer an automated way to process data, you're going to have a hard time not storing the credit card info. This means that you probably will also have to get SAQ-D.

Storing a token of a card is not the same as storing the card details. In your case you will have to store the PAN and Verification code for as long as the transaction (in this case charge by the Wholesaler) isn't made. Storing that data is what you want to avoid. A token is a lot better in this case. You will still have to be very careful how you store these tokens, but since you do not store sensitive CC data, you are not required to get SAQ-D.





Comments (1)

  • +0 – @Lucas_Kauffman Thank you. The card information is really only needed for about 10 minutes or however long it takes the reseller to sign into their account and charge the card. Can you elaborate on the token method? I mean I can program something that would encrypt the card data and decrypt it in an Admin protected page. or is there a service for this that is easily integrated? Thanks again. — Dec 19, 2014 at 21:24