jream — 2013-04-12T23:17:46-04:00 — #1
PCI Compliance is scary business and I don't have the time to manage someone's server.
My client needs to be able to pass a Credit Card to a 3rd party over the phone, the problem
is storing it on-site is illegal without PCI compliance.
Can I encrypt and store 1/2 of the Credit Card number, and email the other 1/2 to a Gmail account?
Would this be considered shady practice? Is it even legal?
logic_earth — 2013-04-13T14:06:40-04:00 — #2
No, you cannot do that. Don't even think of using email or the system the client is proposing. Have the client get a merchant account and payment gateway.
felgall — 2013-04-13T18:27:16-04:00 — #3
Storing any part of a credit card number on a computer connected to the internet is a breach of PCI. You are not allowed to do it when your site is PCI compliant.
Storing any part of a credit card number across thousands of email servers (as happens when emails are sent) is about the worst possible breach since then it is available in lots of places and not just one place - and even one place is one more than PCI allows.
jream — 2013-04-14T00:36:17-04:00 — #4
Thanks you guys, I knew some folk who did it back yonder (Without naming names) obviously not a good idea -- never thought of the emails stored any many servers doh!