Direct Commerce Systems

RE: Order Management, eCommerce and Fulfillment Solutions for Direct Merchants

The clock is ticking on Payment Application Data Security Standards compliance...but this is still not a topic of huge interest/discussion. Vendors are quietly assessing/pursuing strategies. Any thoughts, comments?

Views: 23

Reply to This

Replies to This Discussion

I think you are essentially right, Barney, but if the order management system "touches" the credit card data at all, even to pass it along to the gateway, I believe it is still subject to PA-DSS review. The system has to be verified as managing the hand-off correctly, and not leaving any credit card data behind in any way. Correct?

Barney Stone said:
At Stone Edge Technologies, we have come to the conclusion that the need for storing credit card account numbers at all is quickly coming to an end. All but one of the payment gateways that we integrate with offer the ability to use tokens in place of account numbers if you have to issue a credit or place an additional charge against an account. The account number is only used for the initial charge or authorization. After that, everything can be done with the token (or whatever that gateway calls it). No account numbers are stored, and tokens should be useless if they fall into the wrong hands. That should dramatically reduce the risks involved with credit card processing, and make both PA-DSS (for software developers) and PCI (for merchants) much easier to achieve and maintain. Comments, anyone?
That is correct. In our case, we will stop importing credit card numbers from the 40+ shopping carts that we integrate with (at some point in the near future), but we will still have to handle account numbers for phone/mail/etc. orders and for POS orders. But those numbers will only be accepted via data entry or card swipe and immediately sent to the credit card gateway. They will not be stored at all. The response from the gateway will give us the token we need for future access. So PA-DSS certification should be a lot easier to achieve and maintain than it would be if we were storing account numbers, and the security risk for merchants should be all but eliminated.
Ernie Schell said:
I think you are essentially right, Barney, but if the order management system "touches" the credit card data at all, even to pass it along to the gateway, I believe it is still subject to PA-DSS review. The system has to be verified as managing the hand-off correctly, and not leaving any credit card data behind in any way. Correct?

Barney Stone said:
At Stone Edge Technologies, we have come to the conclusion that the need for storing credit card account numbers at all is quickly coming to an end. All but one of the payment gateways that we integrate with offer the ability to use tokens in place of account numbers if you have to issue a credit or place an additional charge against an account. The account number is only used for the initial charge or authorization. After that, everything can be done with the token (or whatever that gateway calls it). No account numbers are stored, and tokens should be useless if they fall into the wrong hands. That should dramatically reduce the risks involved with credit card processing, and make both PA-DSS (for software developers) and PCI (for merchants) much easier to achieve and maintain. Comments, anyone?

RSS

Psst!

Use the "Edit" button to display more than the default number of listings in each section....

Click the "PollDaddy" Tab to take our eCommerce poll.

Feel free to e-mail Ernie Schell at ernie@schell.com with an off-line comment or question or call me at 609-487-9340.

If your Twitter ID is in your profile and you don't appear in this site's TWfeed (bottom of this column), please let us know.

© 2017   Created by Ernie Schell.   Powered by

Badges  |  Report an Issue  |  Terms of Service