At 1:38 AM -0400 5/31/10, Paul M Foster wrote:
On Sun, May 30, 2010 at 10:50:05AM -0400, tedd wrote:

 > Besides, most credit card processing agencies even require that you
 use the customer's data (cc number, expiry date and CCS) to make the
 sale and then immediately dispose of it afterwards, usually within 24
 hours under a signed agreement. Holding that information for more
 than 24 hours can be a criminal offense regardless of what type of
 hashing you use.

Not true. It depends on the type of merchant and the situation.


"Not true" and "It depends" are conflicts in logic.

Either what I said is "true" or it isn't -- and if what I said is "true" for some (as it is and I can prove it) then what I said is indeed "true".

I'm curious, why say it's not "true" and then follow with "it depends"? It appears to me that you have your mind made-up and don't care to listen to our experiences and recommendations.

That's Okay, but I'm simply telling you what I KNOW to be true. You may either accept what I have to say, or reject it, but to reply that what I say is "Not true" is somewhat offensive and confrontational. I hope you didn't mean it that way. :-)

validation process allows for storage of all data except the 3-4 digit
validation number. What I'm asked for at transaction time is the CC
number, expiration date, digits for the billing address, and the billing
zip code. And I can get the address and zip digits completely wrong and
still have the transaction go through.

Party true.

What data are used in credit card transactions are the: name of the card holder, credit card number, expiration date, CCV number, and zip code. I have not dealt with any credit card processors that require the billing address -- they just use the zip code. Additionally, it is up to the client to determine the level of security they want. They *can* require that *all* information be correct before accepting a sale.

The downside of not requiring *all* the data to be correct is that the rate the credit processor charges for the transaction rises. Simply and logically put, if you don't get all the information correct, then there is risk and that risk is passed on to the client via an elevated charge for processing -- look it up.

The up-side of getting only the minimal data is getting a sale under a higher risk/rate -- that's the clients choice and they usually choose it.

We've been doing it this way for 14 years and using the type of service
you suggest would be expensive and impractical. Only in the last two
years has PCI become more stringent in their requirements. And
consequently, I'm having to re-evaluate how we store this particular
information. Otherwise, our physical and other security is more than
adequate. Yes, of course, if you have a machine gun or you're Kevin
Mitnick, or you have a network of 20,000 bots pounding on my router,
you're coming in anyway. Again, this is about *reasonable* security.

You asked for opinions -- do what you want.  :-)




PHP General Mailing List (
To unsubscribe, visit:

Reply via email to