Processing credit card information

We are in the process of contracting with a company to provide order fulfillment services over the Internet. The service provider will be taking orders along with credit card information then ship and bill the customer directly. We are a privately owned company and my question is. Is the company I work for under any compliance regulations or liability of personal credit card information the service provider will be handling?

Answer Wiki

Thanks. We'll let you know when a new response is added.

YES! 3rd party processing can isolate you from your customers at the cost of effective business relations. Depending on your size, projected gross sales, tax liabilities, you are going to need records of transactions. The more detailed those records the easier your compliance becomes. While you are not the direct card processor, oversight is necessary to protect your ‘good’ name.
Don’t think of the relationship between you and your processor as being ‘set and forget’. Track failed sales and chargebacks.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Scutch
    Hi Your 3rd Party definately needs to be SOX compliant.
    0 pointsBadges:
  • Carloricco
    Bigjess, To certain degree you may need to comply with PCI/CISP but I don't believe that you need to comply with SOX as you are not a public company. Nevertheless, I would suggest exploring the possibly of obtaining as Type II SAS70 report from your service provider so you can assess the effectiveness of their controls. Carlo
    0 pointsBadges:
  • Mhoesing
    1.) PCI/DSS certification would provide the best assurance of appropriate credit card processing, but get evidendce of all 3 (PCI, SAS 70 Type II and SOX.) The due diligence standard is to ask for all and see what they provide. Ask for a network vulnerability/pen test if they can't provide the PCI certification. 2.) The above will provide some broad general controls assurance and some network assurance but , don't start processing unless they can provide a web application vulnerability assessment (WebInspect or similar). Port 80 is always open for business, it is critical the app behind this port is safe (OWASP). 2.) Don't forget a contract with liability and indemnification clauses in your favor and strong SLA's.
    25 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: