Isn't this one of those threads that pops up every month? I'll do my part and make the same arguments that I'm sure someone made last month :-)
I'd be interested in seeing some real world data - how many "brick and mortars" stored credit card info? I'd venture to guess most of them. (Otherwise, how does Target know which card to credit when I have a return?) Now, that being said, the poster's original question wasn't one of debate, but rather, a quest for arguments. It's fairly obvious that there are some business needs behind storing credit cards, and not doing so could complicate or prevent some business needs from being met. If you go to your manager and say, "You are wrong, and this is why" he'll probably call you names in 17 different languages. You need to ensure that you say, "This is why you're wrong, but here are the steps to correct things and still attain the same objects as your incorrect implementation" If you can't come up with ways to attain the same business objectives (ie, recurring billing, refunds/credits, etc) without storing the number, I wouldn't bother. Otherwise, you're in a position of arguing AGAINST the business objectives, which is never a fightable battle. --- Billy Cravens -----Original Message----- From: doug [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 3:57 PM To: [EMAIL PROTECTED] Subject: Re: offTopic: Saving Credit Card Info One item to prove the point against the storing of credit card information is the potential liability of your company in the event your database is compromised. This is turning into the new frontier of Tort claims, and insurance companies are backing off of liability coverage as momentum grows to sue the merchant who allowed his system to be compromised, either from the outside or the inside. Second, and this is my own opinion, there is no business justification for keeping databases of credit card information, that is, unless you are the card issuer. The merchant should limit his use of this information only to the extent necessary to secure payment for the sale, after which all references to the card should, as a best practice be erased. You are under obligation to seek another means to efficiently handle returns and credits, and not only protect the privacy and security of the card holder, but to protect you against liability for misuse of the information. Third, there is also the matter of trust. The card holder must be able to trust his merchant to properly secure his information in order to build a base of business. ----- Original Message ----- From: "Roger Dahlstrom" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 23, 2002 2:08 PM Subject: RE: offTopic: Saving Credit Card Info You could always point him to the myriad news stories that show how people are able to run exploits to download card databases... Personally, I do store them, but on an offline database with encryption. I find that it's easier to process certain customer service issues such as returns. -----Original Message----- From: Josh Carrico [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 11:29 AM To: [EMAIL PROTECTED] Subject: offTopic: Saving Credit Card Info Sorry for the Extremely off topic question... But, would anyone happen to know any good resources for proving a point to my employer that we shouldn't Store Credit Card information? Apparently Verisign's word to the wise that "credit card numbers (If they must be stored) should be stored encrypted (It is best not to store credit card numbers at all)" AND all the cases of Hackers stealing credit card numbers just doesn't phase them. Thanks in advance. Josh Carrico ==^================================================================ This email was sent to: [email protected] EASY UNSUBSCRIBE click here: http://topica.com/u/?bUrFMa.bV0Kx9 Or send an email to: [EMAIL PROTECTED] T O P I C A -- Register now to manage your mail! http://www.topica.com/partner/tag02/register ==^================================================================
