Register

Forgot Password

Site FAQ

Home > IT Answers > CIO > Processing credit card information

Bigjess

0 pts.

Processing credit card information

Compliance, Laws, Outsourcing, Regulations, standards

We are in the process of contracting with a company to provide order fulfillment services over the Internet. The service provider will be taking orders along with credit card information then ship and bill the customer directly. We are a privately owned company and my question is. Is the company I work for under any compliance regulations or liability of personal credit card information the service provider will be handling?

Software/Hardware used:

ASKED: February 8, 2006 10:09 AM

UPDATED: February 20, 2006 7:55 AM

RELATED QUESTIONS

Answer Wiki:

YES! 3rd party processing can isolate you from your customers at the cost of effective business relations. Depending on your size, projected gross sales, tax liabilities, you are going to need records of transactions. The more detailed those records the easier your compliance becomes. While you are not the direct card processor, oversight is necessary to protect your 'good' name. Don't think of the relationship between you and your processor as being 'set and forget'. Track failed sales and chargebacks.

Last Wiki Answer Submitted: February 8, 2006 10:37 am by Howard2nd

30 pts.

All Answer Wiki Contributors: Howard2nd

30 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Feb 9, 2006 6:01 AM (GMT)

Your 3rd Party definately needs to be SOX compliant.

Scutch

0 pts.

POSTED: Feb 9, 2006 11:13 AM (GMT)

Bigjess,

To certain degree you may need to comply with PCI/CISP but I don’t believe that you need to comply with SOX as you are not a public company. Nevertheless, I would suggest exploring the possibly of obtaining as Type II SAS70 report from your service provider so you can assess the effectiveness of their controls.

Carlo

Carloricco

0 pts.

POSTED: Feb 20, 2006 7:55 AM (GMT)

1.) PCI/DSS certification would provide the best assurance of appropriate credit card processing, but get evidendce of all 3 (PCI, SAS 70 Type II and SOX.) The due diligence standard is to ask for all and see what they provide. Ask for a network vulnerability/pen test if they can’t provide the PCI certification.

2.) The above will provide some broad general controls assurance and some network assurance but , don’t start processing unless they can provide a web application vulnerability assessment (WebInspect or similar). Port 80 is always open for business, it is critical the app behind this port is safe (OWASP).

2.) Don’t forget a contract with liability and indemnification clauses in your favor and strong SLA’s.

Mhoesing

25 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags