Credit Card Transactions

This policy is from Chuck Scott:

Current policy on storing of credit cards is that we attempt to not have that data stored on our systems at all. To avoid that, the best practice is to use Authorize.net, Merchant Solution, PayPal or some other payment gateway to process the cards at the time of the order. In that case, the only card information that's stored might be a mudged copy of the card number (last 4 digits only), no CVV, and possibly the expiration date (No enough info to run the card.)

If active processing of the card is not possible, we can temporarily store card information in a database server (not a Web server) only long enough for the customer to get into their admin area and pick up the card information for processing. To do that correctly, the site would have to automatically delete credit card information after a set amount of time (1 week is preferred - 1 month would be absolute maximum).

If long-term storage of credit card information is required, then we would require the following...

1) All card information stored in our database servers is first encrypted with a one-way public key.

2) The customer would be the only one to have the decryption key. We would not retain this for their reference.

3) The decryption key is not stored on any of our servers or systems, even as a comment in the site code.

4) The customer signs an agreement that they accept full responsibility for any disclosure of plain-text credit card information, whether that's due to them disclosing the decryption key, even if that is in combination with a disclosure of data from our servers.

Note that by law any disclosure sensitive personal information requires direct contact with each person who's information has been disclosed. In this case, the customer would be fully responsible for any and all costs involved in doing that.

Lastly, we do not recommend delivery of Credit Card information via E-Mail and should discontinue that practice any time we update an old site.