Author Topic: PCI Question  (Read 5265 times)

ober

  • Ashton Shagger
  • Ass Wipe
  • Posts: 14305
  • Karma: +73/-790
  • mini-ober is taking over
    • Windy Hill Web Solutions
PCI Question
« on: December 11, 2019, 09:48:50 PM »
So I have a client that has proprietary pricing.  He wants to have a secure page where people can respond to a quote that he sent out with modifications where they provide their CC info for future processing (sometimes they don't ship an order for 2 weeks because a lot of the work is custom and they don't charge until they ship).  The collection is all easy and fine.  Done that a bunch of times.  My issue is passing the CC info off to him.  I've only dealt with passing the CC off to a 3rd party where they process the payment and the CC info is gone.  I need to somehow securely get it to him and store it until he processes the payment.


That scares the shit out of me from a PCI compliance standpoint.  In an ideal world I would pass the CC off to a 3rd party to verify the card details and have THEM hold the information until payment is processed.  But I'm not even sure that is an option.  The last thing I want to do is just hold the information in a database somewhere and that gets hacked and he and I both go to jail.  I mean worst case I would only hold it until the payment is processed but still I don't like it.


Thoughts?

Mike

  • Jackass In Charge
  • Posts: 11248
  • Karma: +168/-32
  • Ex Asshole - a better and more caring person.
Re: PCI Question
« Reply #1 on: December 12, 2019, 12:34:01 AM »
I feel ya.  We looked at CC processing earlier in the year and quickly realized we don't want to do it ourselves and do want to use a third party.

I really feel like there is a 3rd party processor that can do this.  Entering the details at order time but not billing until shipping is super common.

From the bit I remember you basically want to separate out your web server from your processing server.  They should at least be separate VMs.  The processing server should be encrypted at rest.  The rest I don't quite remember.

Honestly, this is an area that I wouldn't touch.  Too much potential for things to go wrong and a ton of civil liabilities.

KnuckleBuckett

  • Jackass In Charge
  • Posts: 8674
  • Karma: +26/-259
  • [url=http://google.com]I search a lot[/url]
Re: PCI Question
« Reply #2 on: December 12, 2019, 05:34:37 AM »
Tell him 3rd party.

micah

  • A real person, on the Internet.
  • Ass Wipe
  • Posts: 6915
  • Karma: +58/-55
  • Truth cannot contradict truth.
    • micahj.com
Re: PCI Question
« Reply #3 on: December 12, 2019, 06:03:47 AM »
What third party system are you using?

I know with Authorize.net and Stripe (the only two I've worked with other than basic paypal stuff...oh and a really shitty vendor named Payliance*) they allow you to (optionally) pre-auth a card and then store a token for that customer and charge at a future date.

For example: https://stripe.com/docs/saving-cards

So, like you're doing now, the actual PII and PCI-related data stays at the 3rd party and you just charge it later via API or their web-based dashboard (if the gateway provider has one)

*edit: I just remembered, payliance was for ACH transactions and did NOT store data, in that case I encrypted the account number in the database.  I never had a security or compliance audit so maybe I didn't do it 100% correct but, it was a secure encryption method and the database was on a different server than the decryption key.
« Last Edit: December 12, 2019, 06:11:40 AM by micah »
"I possess a device, in my pocket, that is capable of accessing the entirety of information known to man.  I use it to look at pictures of cats and get in arguments with strangers."

ober

  • Ashton Shagger
  • Ass Wipe
  • Posts: 14305
  • Karma: +73/-790
  • mini-ober is taking over
    • Windy Hill Web Solutions
Re: PCI Question
« Reply #4 on: December 12, 2019, 10:06:47 PM »
I don't have a 3rd party system with him right now.  I've used Sage (2 diff versions), Paypal, Stripe, and ... something else I can't remember.  He uses Comerica Bank which claims to have merchant services so I probably just need to call them to see what they offer.  I really don't like this project at all honestly.  I mean it's not complicated as far as the concept but the risk is through the roof if not handled properly.

micah

  • A real person, on the Internet.
  • Ass Wipe
  • Posts: 6915
  • Karma: +58/-55
  • Truth cannot contradict truth.
    • micahj.com
Re: PCI Question
« Reply #5 on: December 13, 2019, 12:23:56 AM »
For what its worth, (and I can imagine it might be a tough sell to some clients) but he might be better served using Stripe for online transactions (separate from his Comerica account) and then just setup Stripe to disperse funds to his other account on a rolling basis.  Makes the programming way easier for you (and thus cost effective for him) and greatly limits his (and your) liability.  Not to mention, many traditional card merchants charge hefty fees (both for setup and recurring monthly usage) for payment gateways.
"I possess a device, in my pocket, that is capable of accessing the entirety of information known to man.  I use it to look at pictures of cats and get in arguments with strangers."

hans

  • Guitar Addict
  • Jackass In Charge
  • Posts: 3523
  • Karma: +46/-18
Re: PCI Question
« Reply #6 on: December 13, 2019, 10:32:00 PM »
Just use Stripe.
This signature intentionally left blank.

ober

  • Ashton Shagger
  • Ass Wipe
  • Posts: 14305
  • Karma: +73/-790
  • mini-ober is taking over
    • Windy Hill Web Solutions
Re: PCI Question
« Reply #7 on: December 19, 2019, 08:54:55 AM »
Stripe might be the way to go.  I'm still evaluating if I want to do this.  The project overall is pretty straightforward and might turn into something bigger over time.  I just hate the CC stuff.  Thanks for the input, guys.

micah

  • A real person, on the Internet.
  • Ass Wipe
  • Posts: 6915
  • Karma: +58/-55
  • Truth cannot contradict truth.
    • micahj.com
Re: PCI Question
« Reply #8 on: December 20, 2019, 06:02:49 AM »
Stripe might be the way to go.  I'm still evaluating if I want to do this.  The project overall is pretty straightforward and might turn into something bigger over time.  I just hate the CC stuff.  Thanks for the input, guys.

What's the tech stack?  I could use a project ;)
"I possess a device, in my pocket, that is capable of accessing the entirety of information known to man.  I use it to look at pictures of cats and get in arguments with strangers."

ober

  • Ashton Shagger
  • Ass Wipe
  • Posts: 14305
  • Karma: +73/-790
  • mini-ober is taking over
    • Windy Hill Web Solutions
Re: PCI Question
« Reply #9 on: December 20, 2019, 10:34:35 AM »
PHP/Slim/PHPActiveRecord/MySQL - nothing crazy.  Thought about doing a .NET Core API this time around but I don't think I'll have time but I want to learn it.  It's not really that big of a project and I've already got some aspects of it that I'm going to borrow from another project.