Google Answers: Shopping Cart E-Commerce Solution

View Question

Q: Shopping Cart E-Commerce Solution ( Answered 5 out of 5 stars

Question

Subject: Shopping Cart E-Commerce Solution
Category: Computers > Software
Asked by: snowman1-ga
List Price: $10.00

Posted: 12 Dec 2003 20:36 PST
Expires: 11 Jan 2004 20:36 PST
Question ID: 286576

I'm seeking to find people or an expert that can provide advice on secure credit card storage of customer details, for a real time shopping cart.
Request for Question Clarification by joseleon-ga on 12 Dec 2003 23:12 PST Hello, snowman1: Do you want to store customer credit card data? Or do you simply want to allow credit card payment on your website? I recommend you the second option because all you need is a payment gateway managed by a third party and it's easier to setup than the first one. Regards.
Clarification of Question by snowman1-ga on 13 Dec 2003 02:16 PST Hi Joseleon, Yes we need to store credit card data on a seperate server to our website. The e-commerce gateway is tested and more or less complete to carry out real time transactions. However, we need to store credit card details separately in order to process adjustments (e.g. cancellation penalties, ammendment fees, supplier guarantees on customer etc etc. ) The access is only for certified personnel to operate under log in. General operators have access to the details minus 4 or 5 digits I believe. I know merchants do this, but i can't find anyone that will provide a spec consequent to the exercise, scripts or otherwise. Hope this helps Kind Regards
Request for Question Clarification by joseleon-ga on 13 Dec 2003 02:33 PST Hello, snowman1: Ok, in that case, what kind of advice are you looking for? Are you looking for requeriments you need to meet to get certified by a third party that you are using a secure system to store that data? Or are you looking for something else? Regards.
Clarification of Question by snowman1-ga on 03 Jan 2004 23:57 PST Hi Joseleon, My apologies for not having responded - i must have been confused since i thought i had already answered your question Since last speaking with you it seems our developer has an understanding of our needs. I was looking for an "off the shelf" Perl cgi script to syphon off the credit cards details and customer account/product details to a seperate secure server ( away from our sites server ) - if you can help fine, but i think we may be OK - apparantly it's a couple of days programming. Thanks again and Happy New Year Alistair
Request for Question Clarification by joseleon-ga on 04 Jan 2004 06:55 PST Hello, snowman1: Ok, in that case is clear, but would you be interested in info about how to protect and handle customer credit card info? This is very important for any business that deal with sensitive data. Regards.
Clarification of Question by snowman1-ga on 04 Jan 2004 14:29 PST Hi Joseleon, Yes this would be fine. Kind Regards Alistair

Answer

Subject: Re: Shopping Cart E-Commerce Solution
Answered By: joseleon-ga on 05 Jan 2004 01:29 PST
Rated: 5 out of 5 stars

Hello, snowman1:
Ok, in that case, here are some things you may/may not do when you
are storing customer credit card info:

What you need to do:
-Privacy policy:
Setup a privacy policy on your website/application that explains to
the user how you protect their information. You can get more info on
how to create and mantain your privacy policy here:

Online Privacy Guide
http://home5.americanexpress.com/merchant/resources/fraudprevention/privacypolicyguide.asp

-Firewalls
Employ internal and external firewalls to prevent intrusions from the
internet and from within your organization.

-Encryption
Be sure all data transmitted over the web uses SSL and the credit
card info is stored encrypted using a strong algorithm

-Employee access/passwords
Assign employee access to payment data on a need-to-know basis.
Issue a unique ID to each person with computer access to payment data.
Maintain the ability to track employee access to payment data through
the use of unique IDs.
Change employee passwords regularly.
Ensure employee information security policy is communicated.
Require two-person control to access encrypted data.

-Systems
Routinely test internal security systems and processes. Annual
certification of systems and processes by a third party Security
Evaluation Company is preferred.
Maintain physical building and premise access security.
Restrict physical access to payment data.

What you must not do:
-Never store payment data on a web server or cache anywhere in memory
related to a web server. Payment data may only be stored in a separate
database, with at least one external firewall.

-Never use payment data for any purpose other than processing future transactions.

This info has been adapted from the contents of this webpage:

Data Security Standards
http://home5.americanexpress.com/merchant/resources/fraudprevention/datasecurity_standards1.asp

I hope this helps, but in any case, don't hesitate to request for any
clarification.

Regards.

snowman1-ga rated this answer: 5 out of 5 stars

and gave an additional tip of: $3.00

Thanks for the speed and accuracy of the answers plus going the extra mile

Comments

Subject: Re: Shopping Cart E-Commerce Solution
From: alanfox70-ga on 12 Dec 2003 21:08 PST

If you want to have e-commerce in your website, you need 2 basic
elements: Shopping cart and Merchant gateway.

Shopping carts: 3 ways to do it:
1. Get a shopping cart service, in which you pay monthly
2. Buy a shopping cart and you host it in your server space.
3. Hired a web developer to set-up a shopping card

Merchant Accounts: There lots of them out there to process your credit card

Feel free to contact me: alanfox70@yahoo.com

Subject: Re: Shopping Cart E-Commerce Solution
From: snowman1-ga on 13 Dec 2003 02:23 PST

Thanks Alan,

I'm clear about the e-commerce gateways and shopping cart that we have
pretty much completed.

The issue is on storage of credit card data ( which for security
reasons needs to be on a separate server )

It's quite widespread amongst merchants and talked about in several
places on the web . Certified personnel will access this data under
log in to apply additional charges ( in accordance with the customer
contract ) to invoke adjustments. e.g. ammendment fees, supplier
guarantees which exceed the original amount charged e.g. hotels). In
our case we may have to provide the hotel with these records so that
they can debit the customer. This is normal procedure.

However, i cannot find anyone who has either a spec or a script that
can perform this, even though it's very widespread amongst larger
merchants.

Kind Regards

Alistair

Subject: Re: Shopping Cart E-Commerce Solution
From: snowman1-ga on 13 Dec 2003 03:17 PST

I'm looking to identify either a script, a package or a person
familiar with this problem who can articulate the specifications for
our programmers.

Because it is widespread i was hoping to get out of it cheaply, based
on common knowledge - but i've been unable to identify a person who
can answer the above.

Regards

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy