1

This might be quite a long read, because there is a bit if relevant back story. Of you just wanted to see the question summarized I have it written at the end.

Edit: I realize hiding the type of business isn't useful, it's a maid/cleaning business.

I'm working with a client where the service they provide is ordered through the website, but the client doesn't have to pay until the service is finished. Because of this the payment is handled through a third party and no payment information is even processed on the website.

The problem is now with the city. While we were in talks with them to obtain a license for the product they said that we could still collect payment the way we want, but we have to store(or have access to) a credit card for each user so we can identify or track them if they break a law (like assault one of our employees on the job or decide not to pay or whatever)

Originally we thought a fully varied phone number would be enough but they are insistent that we need to be able to link a user on the website to a credit card. Even if they choose to pay by cash we need a credit card on record just in the off chance we need to track them later.

Is there a way to do this without holding credit card information on our personal database? When a user makes an account can I ask for a credit card at that point and then just feed it to a service like stripe and just hold it there sort of acting like a second database? If we go through this route is there anything we need to do on our side in regard to PCI Compliance.

Our owner has had a bad experience in the past with bad developers holding credit card data on a server that was not protected and it ended badly so he refuses to hold any card information on our side Also the insurance we have already lined up refuses to back us any further if we hold it in site without professional security measures. Even if we did start to hold credit card information, what exactly do I have to do to make sure it's all secure and up to standard, I've never had to handle this before.

Any suggestions or help would be awesome I'm really stuck here.

TL;DR: City wants us to be able to link a user to a credit card before service is even started, so basically upon sign-up. Owner of business and isurance company doesn't want to save credit card information on our database. I'm not sure how to handle this and make both happy. Do I learn some basic encryption? Can I use stripe or something as a second database?

Edit: To clarify further, I don't want to use any of the information we save, we plan to charge customers differently. The city just wants it on record.

  • I would look in to Authorize.net CIM – Nathan Robb Sep 11 '16 at 14:42
  • It looks like this service is mainly used to take payments, if I just use this service to hold information but don't actually use it to process any payments is it free to use? The reason I ask I that we already have a payment system and payment terminals setup –  Sep 11 '16 at 15:00
  • Authorize.net is not free to use and the whole idea of it is that once you put it on their system, you can't get it back, all you can do is use tokens to submit payments and such. There is little to no benefit to a system where you store credit cards on another database with the need to retrieve it over storing it on your own database. Unfortunately, I can not think of any systems that would allow you to do this, sorry. – Nathan Robb Sep 11 '16 at 15:04
  • IMO this is more of a question for a lawyer, who may be able to help you fight the unreasonable requirement. – ceejayoz Sep 11 '16 at 15:07
  • It seems like the easiest way around this is to just store the information on my server and convince the owner and insurance company that it'll be well secured. Anyone know of any resoirces of where to lean about this? –  Sep 11 '16 at 15:39
  • Possible duplicate of [Best practices to store CreditCard information into DataBase](http://stackoverflow.com/questions/3002189/best-practices-to-store-creditcard-information-into-database) – chris85 Sep 11 '16 at 15:47
  • @Riles I don't think I've ever heard someone deem the PCI compliance process "the easiest way". Heh. – ceejayoz Sep 12 '16 at 19:44

1 Answers1

1

Yes of course there is a solution.

There are companies (Payment processing companies) that are doing exactly this, they charge a fee and offload all of the responsibility from you.

They invest a lot of money to be able to validate all of the security measures required by the law, including PCI compliance.

Those companies are not only offering different payment formats (such as single payment, recurring payments, etc..) but also takes care of storing some data on their side for future payments from the customer.

stripe, 2checkout and authorize.net are only a few of many options to look into.

Don't you ever think about storing any sensitive information (credit card information is only one example) on your own servers, unless you can comply with all security measures required by the law - which is a tiresome and expensive thing to do.

Good luck !

codelock
  • 747
  • 5
  • 8