On Sep 28, 12:31 am, brianp [email protected] wrote:
I don’t exactly know why the credit card is needed but they gave me a
pdf version of the form they get people to fill out manually and it’s
on there so…
I had hoped I could find api’s for the services they then re-enter the
information into with no luck. They said they have to take the
information and submit it to 1/3 different locations on a case for
case basis each requiring slightly different information.
There are likely APIs for each of the credit bureaus - I just got done
implementing a similar system to attach to the Lexis-Nexis background
check systems. I’d love to share, but LN puts all their docs under
I’m still wondering though how to go about creating the secure
The best you’re going to be able to manage is likely the previous
suggestion - only make the information available via a secure part of
the site. SSL is a good first step, but more complicated things could
also be useful (two-factor auth, etc).
As well, if I am storing this kind of sensitive data maybe it would be
a good idea to have an expiry. Data will only be held for so long
before it is wiped from the db?
It couldn’t hurt to also encrypt the relevant data in the DB, although
that’s still not great (you have to have the keys on the server to use
The answers have kind of unnerved me. Is this maybe a job I should re-
assess doing all together? Or as long as I follow the guidelines it
should be okay?
It seems like the client here doesn’t have the foggiest idea about
security, and that’s a dangerous position for you to be in. Actually
achieving PCI compliance is going to take considerable time and money;
make sure that you document any corners they want you to cut, as
you’ll need that if (or when) they get sued for leaking customer info.
It probably wouldn’t hurt to have a lawyer do a quick once-over on the
contract to see exactly how much liability you may have if there is a