Storing Credit Card information

>Our company wants me to make it easier for customers to make
>repeat purchases in our e-commerce applications.  Specifically,
>they want an Amazon type system where the customer does not
>have to pull the credit card out of their wallet.  While I
>agree that this would definitely increase sales, I've never
>done this kind of thing because of the liability of having the
>cc numbers in our databases.  In my researching, I'm also
>seeing that its possibly illegal (though it seems hard for me
>to believe).
>
>Does anybody have any advice for me?  Is there a way I can do
>it (encryption-wise) that would be safe?  Is it totally
>illegal?  How does amazon get away with it?

> Hi List,
>
> Our company wants me to make it easier for customers to make repeat  
> purchases in our e-commerce applications.  Specifically, they want  
> an Amazon type system where the customer does not have to pull the  
> credit card out of their wallet.  While I agree that this would  
> definitely increase sales, I've never done this kind of thing  
> because of the liability of having the cc numbers in our databases.  
> In my researching, I'm also seeing that its possibly illegal (though  
> it seems hard for me to believe).
>
> Does anybody have any advice for me?  Is there a way I can do it  
> (encryption-wise) that would be safe?  Is it totally illegal?  How  
> does amazon get away with it?

>
> On 2009-11-05, at 4:22 PM, Todd Vainisi wrote:
>
>> Does anybody have any advice for me?  Is there a way I can do it  
>> (encryption-wise) that would be safe?  Is it totally illegal?  How  
>> does amazon get away with it?
>
>
> It's not like you can use them behind their back...without going to  
> jail.  The only saving you will gain is having the user not re-
> enter thier number.  Is all that worth it?  Your users can initiate  
> sales at any time.  It's not like not keeping their cc info is  
> going to have them stop.  I'm sure your company doesn't understand  
> the ramifications of storing cc information, including PCI  
> compliance, liabilities, etc.  16 digits, that's it.
>
> Also, I think your users would be glad to know you don't store  
> their cc information.
>
>
> _____________
> Rich in Toronto
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

> Todd,
> Authorize.net, PaymenTech, and probably others have an add-on  
> service that allows you to create customer profiles on their servers  
> that you can access for returning customers. While it is a  
> convenience, I am sometime creeped out at idea of even someone as  
> large as Amazon having access to that information.
>
> It is more of an issue if you are playing on the same level as sites  
> like Amazon. I agree with Rich that most people would be happier to  
> think that  your web site does not have access to such information.
> .................................
> Kevin Bice
> 512-879-1653
> http://fmpweb.com
> .................................
> Web Development and Design
>
>
>
> On Nov 5, 2009, at 3:50 PM, Viaduct Productions wrote:
>
>>
>> On 2009-11-05, at 4:22 PM, Todd Vainisi wrote:
>>
>>> Does anybody have any advice for me?  Is there a way I can do it  
>>> (encryption-wise) that would be safe?  Is it totally illegal?  How  
>>> does amazon get away with it?
>>
>>
>> It's not like you can use them behind their back...without going to  
>> jail.  The only saving you will gain is having the user not re-
>> enter thier number.  Is all that worth it?  Your users can initiate  
>> sales at any time.  It's not like not keeping their cc info is  
>> going to have them stop.  I'm sure your company doesn't understand  
>> the ramifications of storing cc information, including PCI  
>> compliance, liabilities, etc.  16 digits, that's it.
>>
>> Also, I think your users would be glad to know you don't store  
>> their cc information.
>>
>>
>> _____________
>> Rich in Toronto
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

> Hi, Todd:
>
> We use the AIM CIM and it is great!
>
> However, these are the issues we have had:
>
> 1. It does not return a masked credit card number so you will need  
> to store the last four digits
>
> 2. It does not return the type of credit card (which may be  
> important) so we store that too.
>
> 3. It does not store the expiration date...so store that too :-)
>
> DO NOT STORE THEM YOURSELF.
>
> Perhaps to disagree, but our customers and their customers really  
> like it!
>
> Deco
> On Nov 5, 2009, at 3:30 PM, Kevin Bice wrote:
>
>> Todd,
>> Authorize.net, PaymenTech, and probably others have an add-on  
>> service that allows you to create customer profiles on their  
>> servers that you can access for returning customers. While it is a  
>> convenience, I am sometime creeped out at idea of even someone as  
>> large as Amazon having access to that information.
>>
>> It is more of an issue if you are playing on the same level as  
>> sites like Amazon. I agree with Rich that most people would be  
>> happier to think that  your web site does not have access to such  
>> information.
>> .................................
>> Kevin Bice
>> 512-879-1653
>> http://fmpweb.com
>> .................................
>> Web Development and Design
>>
>>
>>
>> On Nov 5, 2009, at 3:50 PM, Viaduct Productions wrote:
>>
>>>
>>> On 2009-11-05, at 4:22 PM, Todd Vainisi wrote:
>>>
>>>> Does anybody have any advice for me?  Is there a way I can do it  
>>>> (encryption-wise) that would be safe?  Is it totally illegal?  
>>>> How does amazon get away with it?
>>>
>>>
>>> It's not like you can use them behind their back...without going  
>>> to jail.  The only saving you will gain is having the user not re-
>>> enter thier number.  Is all that worth it?  Your users can  
>>> initiate sales at any time.  It's not like not keeping their cc  
>>> info is going to have them stop.  I'm sure your company doesn't  
>>> understand the ramifications of storing cc information, including  
>>> PCI compliance, liabilities, etc.  16 digits, that's it.
>>>
>>> Also, I think your users would be glad to know you don't store  
>>> their cc information.
>>>
>>>
>>> _____________
>>> Rich in Toronto
>>>
>>>
>>> --
>>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>>
>>>
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

>
> On 2009-11-05, at 5:57 PM, Deco Rior (Tennissource) wrote:
>
>> DO NOT STORE THEM YOURSELF.
>>
>> Perhaps to disagree, but our customers and their customers really  
>> like it!
>
> I'd like to stress that this can be a strong marketing point.  Don't  
> overlook this.
>
> When you weigh the time it takes to enter this number, versus the  
> time to replace a card and update regular charges, etc., is  
> incomparable.

>
> On 2009-11-05, at 5:57 PM, Deco Rior (Tennissource) wrote:
>
>> DO NOT STORE THEM YOURSELF.
>>
>> Perhaps to disagree, but our customers and their customers really  
>> like it!
>
> I'd like to stress that this can be a strong marketing point.  Don't  
> overlook this.
>
> When you weigh the time it takes to enter this number, versus the  
> time to replace a card and update regular charges, etc., is  
> incomparable.
>
> _____________
> Rich in Toronto
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

>Hi List,
>
>Our company wants me to make it easier for customers to make
>repeat purchases in our e-commerce applications.  Specifically,
>they want an Amazon type system where the customer does not
>have to pull the credit card out of their wallet.  While I
>agree that this would definitely increase sales, I've never
>done this kind of thing because of the liability of having the
>cc numbers in our databases.  In my researching, I'm also
>seeing that its possibly illegal (though it seems hard for me
>to believe).
>
>Does anybody have any advice for me?  Is there a way I can do
>it (encryption-wise) that would be safe?  Is it totally
>illegal?  How does amazon get away with it?
>
>T Vainisi
>
>
>
>
>--
>This list is a free service of LassoSoft: http://www.LassoSoft.com/
>Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

>
> On Nov 5, 2009, at 5:59 PM, Viaduct Productions wrote:
>
>>
>> On 2009-11-05, at 5:57 PM, Deco Rior (Tennissource) wrote:
>>
>>> DO NOT STORE THEM YOURSELF.
>>>
>>> Perhaps to disagree, but our customers and their customers really  
>>> like it!
>>
>> I'd like to stress that this can be a strong marketing point.  
>> Don't overlook this.
>>
>> When you weigh the time it takes to enter this number, versus the  
>> time to replace a card and update regular charges, etc., is  
>> incomparable.
>
> Convenience vs. security is always the debate.  I prefer sites that  
> let me choose whether or not to remember my card information, and  
> despise sites that automatically remember it whether I want them to  
> or not.
>
> -Brad
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

> Don't.  As others have said, the risk of storing CC#s in any form is  
> too great unless your client has literally $100k's of resources to  
> pay fines and attorney fees when the data is eventually cracked or  
> stolen.  Usually the crime is committed as an inside job.  The  
> monthly fee for gateway services is a great insurance policy.
>
> Authorize.net offers AIM and CIM methods for CC transactions.  Both  
> allow for Automated Recurring Billing (ARB).  The difference is that  
> CIM allows you to store a customer profile along with billing and  
> shipping profiles on Authorize.net services.  All you do is store  
> the profile IDs on your server and retrieve the profile data from  
> Authorize.net's servers through an XML call.
>
> You can download my AuthorizeNet_AIM tag for more information,  
> including documentation and requirements.
>
> http://www.tagswap.net/AuthorizeNet_AIM
>
> There is also a thread about the CIM method, along with some custom  
> tags I wrote, but have not cleaned up and made available yet.
>
> http://old.nabble.com/Authorize.net-CIM---ARB-%2C-xmltree-and-SOAP-to25443822.html#a25517732
>
> --steve
>
>
>
> On 11/5/09 at 4:22 PM, Todd@... (Todd Vainisi)  
> pronounced:
>
>> Hi List,
>>
>> Our company wants me to make it easier for customers to make repeat  
>> purchases in our e-commerce applications.  Specifically, they want  
>> an Amazon type system where the customer does not have to pull the  
>> credit card out of their wallet.  While I agree that this would  
>> definitely increase sales, I've never done this kind of thing  
>> because of the liability of having the cc numbers in our  
>> databases.  In my researching, I'm also seeing that its possibly  
>> illegal (though it seems hard for me to believe).
>>
>> Does anybody have any advice for me?  Is there a way I can do it  
>> (encryption-wise) that would be safe?  Is it totally illegal?  How  
>> does amazon get away with it?
>>
>> T Vainisi
>>
>>
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy               Web Site Builder               Soquel, CA
> <web@...>                  <http://www.StevePiercy.com/>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

> On 11/5/09 at 6:24 PM, lists@... (Viaduct  
> Productions) pronounced:
>
>> On 2009-11-05, at 6:22 PM, Steve Piercy - Web Site Builder wrote:
>>
>>> Just like an STD, it only takes one time in Vegas.
>>
>> Please elaborate.  I'm not from California.
>
> Perhaps you can better relate to this: it only takes one time in de  
> Wallen.