While I can appreciate and agree with everything that is being stated about not storing credit cards, the one issue I constantly run into is this:
Even though CC's are processed through an Internet merchant account in real time and not stored on a client's database, clients want to be able to access the number so that they can a) issue refunds/credits or b) have recurring billing, such as would occur with a subscription. I just went out and checked Authorize.net's virtual terminal and in the refund/credit mode, the form requires the full cc number and exp date. In this case should the client just store the last 4 digits of the number and not store the exp date at all, then contact the customer when a refund is to be processed (referencing the ending card digits)? In the case of recurring billing, Authorize.net now includes that as part of their offerings. Unfortunately, most clients get the impression that storing CCs is OK, because they do business with Amazon and GoDaddy, and others which keeps their numbers on file (with the user's permission). I'm sure these companies have multiple layers of security. Thanks, Mark ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218955 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
