Google Answers Logo
View Question
 
Q: Shopping Cart E-Commerce Solution ( Answered 5 out of 5 stars,   3 Comments )
Question  
Subject: Shopping Cart E-Commerce Solution
Category: Computers > Software
Asked by: snowman1-ga
List Price: $10.00
Posted: 12 Dec 2003 20:36 PST
Expires: 11 Jan 2004 20:36 PST
Question ID: 286576
I'm seeking to find people or an expert that can provide advice on
secure credit card storage of customer details, for a real time
shopping cart.

Request for Question Clarification by joseleon-ga on 12 Dec 2003 23:12 PST
Hello, snowman1:
 Do you want to store customer credit card data? Or do you simply want
to allow credit card payment on your website? I recommend you the
second option because all you need is a payment gateway managed by a
third party and it's easier to setup than the first one.

Regards.

Clarification of Question by snowman1-ga on 13 Dec 2003 02:16 PST
Hi Joseleon,

Yes we need to store credit card data on a seperate server to our
website. The e-commerce gateway is tested and more or less complete to
carry out real time transactions. However, we need to store credit
card details separately in order to process adjustments (e.g.
cancellation penalties, ammendment fees, supplier guarantees on
customer etc etc. )

The access is only for certified personnel to operate under log in.
General operators have access to the details minus 4 or 5 digits I
believe. I know merchants do this, but i can't find anyone that will
provide a spec consequent to the exercise, scripts or otherwise.

Hope this helps

Kind Regards

Request for Question Clarification by joseleon-ga on 13 Dec 2003 02:33 PST
Hello, snowman1:
  Ok, in that case, what kind of advice are you looking for? Are you
looking for requeriments you need to meet to get certified by a third
party that you are using a secure system to store that data? Or are
you looking for something else?

Regards.

Clarification of Question by snowman1-ga on 03 Jan 2004 23:57 PST
Hi Joseleon,

My apologies for not having responded - i must have been confused
since i thought i had already answered your question

Since last speaking with you it seems our developer has an
understanding of our needs.

I was looking for an "off the shelf" Perl cgi script to syphon off the
credit cards details and customer account/product  details to a
seperate secure server ( away from our sites server ) - if you can
help fine, but i think we may be OK - apparantly it's a couple of days
programming.

Thanks again and Happy New Year

Alistair

Request for Question Clarification by joseleon-ga on 04 Jan 2004 06:55 PST
Hello, snowman1:
  Ok, in that case is clear, but would you be interested in info about
how to protect and handle customer credit card info? This is very
important for any business that deal with sensitive data.

Regards.

Clarification of Question by snowman1-ga on 04 Jan 2004 14:29 PST
Hi Joseleon,

Yes this would be fine. 

Kind Regards

Alistair
Answer  
Subject: Re: Shopping Cart E-Commerce Solution
Answered By: joseleon-ga on 05 Jan 2004 01:29 PST
Rated:5 out of 5 stars
 
Hello, snowman1:
  Ok, in that case, here are some things you may/may not do when you
are storing customer credit card info:

What you need to do:
-Privacy policy:
 Setup a privacy policy on your website/application that explains to
the user how you protect their information. You can get more info on
how to create and mantain your privacy policy here:
 
Online Privacy Guide
http://home5.americanexpress.com/merchant/resources/fraudprevention/privacypolicyguide.asp
 
-Firewalls
 Employ internal and external firewalls to prevent intrusions from the
internet and from within your organization.
 
-Encryption 
 Be sure all data transmitted over the web uses SSL and the credit
card info is stored encrypted using a strong algorithm
 
-Employee access/passwords 
 Assign employee access to payment data on a need-to-know basis. 
 Issue a unique ID to each person with computer access to payment data. 
 Maintain the ability to track employee access to payment data through
the use of unique IDs.
 Change employee passwords regularly. 
 Ensure employee information security policy is communicated. 
 Require two-person control to access encrypted data. 

-Systems 
 Routinely test internal security systems and processes. Annual
certification of systems and processes by a third party Security
Evaluation Company is preferred.
 Maintain physical building and premise access security. 
 Restrict physical access to payment data.

What you must not do:
-Never store payment data on a web server or cache anywhere in memory
related to a web server. Payment data may only be stored in a separate
database, with at least one external firewall.

-Never use payment data for any purpose other than processing future transactions. 

This info has been adapted from the contents of this webpage:

Data Security Standards
http://home5.americanexpress.com/merchant/resources/fraudprevention/datasecurity_standards1.asp

I hope this helps, but in any case, don't hesitate to request for any
clarification.

Regards.
snowman1-ga rated this answer:5 out of 5 stars and gave an additional tip of: $3.00
Thanks for the speed and accuracy of the answers plus going the extra mile

Comments  
Subject: Re: Shopping Cart E-Commerce Solution
From: alanfox70-ga on 12 Dec 2003 21:08 PST
 
If you want to have e-commerce in your website, you need 2 basic
elements: Shopping cart and Merchant gateway.

Shopping carts: 3 ways to do it:
1. Get a shopping cart service, in which you pay monthly
2. Buy a shopping cart and you host it in your server space.
3. Hired a web developer to set-up a shopping card

Merchant Accounts: There lots of them out there to process your credit card

Feel free to contact me: alanfox70@yahoo.com
Subject: Re: Shopping Cart E-Commerce Solution
From: snowman1-ga on 13 Dec 2003 02:23 PST
 
Thanks Alan,

I'm clear about the e-commerce gateways and shopping cart that we have
pretty much completed.

The issue is on storage of credit card data ( which for security
reasons needs to be on a separate server )

It's quite widespread amongst merchants and talked about in several
places on the web . Certified personnel will access this data under
log in to apply additional charges ( in accordance with the customer
contract ) to invoke adjustments. e.g. ammendment fees, supplier
guarantees which exceed the original amount charged e.g. hotels). In
our case we may have to provide the hotel with these records so that
they can debit the customer. This is normal procedure.

However, i cannot find anyone who has either a spec or a script that
can perform this, even though it's very widespread amongst larger
merchants.

Kind Regards

Alistair
Subject: Re: Shopping Cart E-Commerce Solution
From: snowman1-ga on 13 Dec 2003 03:17 PST
 
I'm looking to identify either a script, a package or a person
familiar with this problem who can articulate the specifications for
our programmers.

Because it is widespread i was hoping to get out of it cheaply, based
on common knowledge - but i've been unable to identify a person who
can answer the above.

Regards

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy