During a meeting with a potential client this week I made a casual inquiry, asking which payment processor they currently used for the ecommerce web site.
“Oh, we do it manually” they said. It turns out they use an antiquated system that sends them the customer’s credit card information via email. They then take that information and run it through their Point of Sale software to charge the account.
Oops. That is a dangerous if not illegal procedure.
Emails, by their very nature, travel from computer to computer across the internet. There are ample opportunities for one of these relaying computers to cache a copy of the email, with the customer credit card information. This then creates an opportunity for the information to not be secure. If this data is encrypted, it is reasonably secure. If not, it is a ticking time bomb. I don’t want to be there when the ticking stops.
Once the email has arrived, a host of other security issues arise:
- Is the network secure?
- Is the computer secure?
- What happens with the email after the transaction has been processed?
- Was it printed out?
- If it was printed out, what is done with the print out after the transaction has processed?
In Colorado it is, to my understanding, illegal to store a hard copy of the complete credit card number of a customer.
If you are a merchant and aren’t sure if your system is compliant, a good place to get started is https://www.pcisecuritystandards.org/merchants/.
Another valuable source is EduCyber Endorsed SGP Services. Give Sean a call at 303-697-7799.