View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 2944 | Composr | ecommerce | public | 2016-11-25 20:29 | 2016-11-25 20:30 |
| Reporter | Chris Graham | Assigned To | |||
| Priority | normal | Severity | feature | ||
| Status | new | Resolution | open | ||
| Summary | 2944: Storing credit card number | ||||
| Description | We are no longer saving credit card numbers with local payments. This is because they need to be individually encrypted to meet PCI compliance, the encryption key must not be backed up, and they need to be obfuscated when shown to users in their profiles. That's all technically very challenging for us (and our users) to achieve. The encryption scheme could not be our regular CPF encryption scheme, as only staff can decrypt that manually using their local key password. We are not allowed to save the CV2 either, but there's no getting around that. CV2 is not needed for payments though, it's just a security feature. | ||||
| Additional Information | There's not a great incentive for implementing this. Right now not storing the number is fine. The only good use cases are: 1) Store a first-time authorise for a user when they've paid, using CV2, then don't require CV2 for future transactions (i.e. nothing extra needs typing in). This would need extra work as right now the whole API assumes CV2 will always be passed. 2) If subscriptions are being fully locally managed (see comment in 1529). | ||||
| Tags | No tags attached. | ||||
| Attach Tags | |||||
| Time estimation (hours) | 10 | ||||
| Sponsorship open | |||||
| related to | 1529 | Not Assigned | Implement subscription free trial support [and other assorted subscription ideas] |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2016-11-25 20:29 | Chris Graham | New Issue | |
| 2016-11-25 20:29 | Chris Graham | Description Updated | |
| 2016-11-25 20:30 | Chris Graham | Relationship added | related to 1529 |
