Credit Card Processing

True it’s not a law (yet), but if you don’t comply with PCI, Visa/MC/Discover, etc are likely to revoke your merchant account…. that’s part of what the certifications are about… if your hardware setup doesn’t certify initially, they’ll make you fix it (things like ssl certs, firewalls, etc) before they’ll turn on your account.

The PCI standard is very clear about what you can / can’t store on your server, and under what circumstances.

Here’s a link to the standards site: https://www.pcisecuritystandards.org/

I see that they have also included a section just for software developers to create applications that adhere to the standard, and not store any prohibited data. That part is new since I looked last, so might be a good read for us all.

Hope that helps

Matt
[sig moderated]

By using paypal, people can also buy products through credit cards and u can recieve payment in your account. Then u can transfer those to your bank account

If you really want to store credit card info in a database, the look into how to store data in the Options table. It’s really not hard at all, if you do some research.

But as stated, encrypting the CC info is a different story.

Storing CC numbers in the app is an unusual approach.

Is it because you would like to offer your customers the same payment method on a return visit? For convenience? Or because you are going to run the transaction later offline?

I developed an ecommerce site which needed to store customer payment methods so they could be billed again later without re-entering their details. The implementation choices were
a) store the CC numbers in the app, or
b) offload this storage requirement to a Payment Processor. Both PayPal and Authorize.net (for instance) offer a way to save the CC billing information and refer to it later for a sale.

If you choose to save the billing information yourself in your own app then according to PCI standards it MUST NOT reside on a server which is directly accessible from the Internet. If you are using WordPress then the app is on an Internet accessible server (obviously) but depending on where the database is hosted you may technically be meeting PCI requirements – although I wouldn’t push that reasoning too hard with a certification engineer.

But my greatest concern with what you’re suggesting is this: WordPress is a platform that doesn’t partition plugins into their own security domains. Think about it, when a plugin loads its got access to ALL the database. So if you’re going to store CC numbers and other billing information, you should at least encrypt them first. And don’t leave the encryption key and method lying around in the database either.

Personally, I think you’re playing with fire here. If you store CC numbers you’re running a real risk with serious downside. If the website app is going to be owned by a business, then you’ll be putting that business’ reputation and financial assets at serious risk.

Consider storing the details in a real CC vault – either one provided by the payment processors or one built yourself running on a secured server.

ClickCartPro is a full featured shopping cart software that will install on virtually any web server, and does not require root access or special modules. ClickCartPro have a plug-in developed to integrate directly to the Real ex Payments solution. The entire software package uses SQL and a relational database model, which allows tie-ins to many RDBMS (MySQL, PostgreSQL, MS SQL Server, etc.). It runs out of the box in CSV mode. 100% of the front-end and web based administrator is configurable using its 200+ functions.For more details please visit[WWW.clickcartpro.eu.com].
————————
Barbie Purl

I’ve been in a similar situation to yours – while I knew deep inside WordPress wasn’t the most suitable, it was all I practically had experience with, and thus worked my way around using it.
Google ‘PCI Compliance’ to find out if the plugin you’re using to store CC data is legally acceptable.

With regard to using paypal, we have closed our paypal account and will never use paypal again. The reason is because our paypal account was hacked. Paypal claims they have no knowledge of such, and ebay offered us no recourse either (it was opened via ebay and hacked via ebay). Someone was selling product under our ebay and paypal accounts, and then changed the passwords so that we could not get in. Plus, they were not sending the products for which they were collecting payment. They did not change the email address, so we got angry emails from THEIR customers who were getting screwed. Luckily, we never kept more than about 80 cents in the account, so we didn’t get robbed, just had our name & account dragged through the mud. Canceling ebay and paypal put an end to our involvement in the fraud, tho I don’t know if it changed anything the other person/entity was doing.

To make matters worse, a cousin had been selling lots of stuff on ebay and taking paypal payments. They had almost $1,000 in the account when it got drained. They, too, had no recourse and lost it all, only fixing their “problem” by canceling their paypal account.

Finally, I’ve read on one prominent ecommerce site that more than 60% of the transactions were aborted when the consumer got to the paypal payment screens. He solved the problem by having his own merchant account. Now, almost 98% of the transactions are successfully completed. This indicates to me that paypal is quick and easy, but probably not the professional quality that some would like – in contrast to having a merchant account that appears much more professional and private.

Note: These experiences are my own, and they are true as I have related them here. Your experiences may be different, and I encourage you to achieve your own results.

thank you all for this dialogue, i knew nothing about this and have clients ask all the time