That is unequivocally wrong. However, depending what you're doing there are different levels of Compliance. Since you are storing credit cards; I thought you get bumped up to the highest level of compliance.
DotComIt ( Flextras ) does a self assessment questionnaire and a quarterly web site scan to remain compliant. We store no CC info. PCI Compliance issues also directed some of our development decisions. For example, credit card info is never displayed to the screen even in receipts. When in memory, it encrypted; I believe using a session specific key. When a purchase is complete the CC info is deleted from memory, thus minimizing the amount of time our server touches the CC info. --- In [email protected], Lee Jenkins <l...@...> wrote: > > Laurence MacNeill wrote: > > > > > > At 09:35 AM 2/11/2010, you wrote: > > > > > > > > >As far as I am aware you aren't allowed to store credit card numbers > > >yourself without a weekly security audit from the card issuer... > > > > Do what?! I've never heard of this... If that's the case, then the > > company I work for has been breaking the law for YEARS! We store CC > > data (encrypted, of course) in our current database so that if a > > customer changes their mind, we don't have to reacquire the CC info > > from them to charge (or refund) their account. > > > > In the Flex app that I'm writing, the plan is to continue to do the > > same thing... > > > > My understanding is that PCI Compliance is not yet necessary for in-house > products. > > -- > Warm Regards, > > Lee >
