Shopping cart software and ecommerce solutions by Early Impact
PCI compliance and ProductCart shopping cart software
Google Custom Search

How ProductCart deals with securing credit card information

ProductCart and PCI Compliance

Internet merchants need to be compliant with the Payment Card Industry (PCI) cardholder data security requirements. We have created a page specifically dedicated to the topic of PCI compliance with a ProductCart-powered store. We have also partnered with ScanAlert to bring you free PCI compliance testing.

How ProductCart handles credit card information

ProductCart 2.7x and above fully complies with the official "Merchant Requirements for Securing Cardholder Information" that were recently established by all credit card companies. Specifically:

  • Credit card information is saved to the ProductCart database ONLY when necessary for the successful completion of a credit card transaction. This is currently true only with the following payment options (in all other cases, credit card information is NOT saved to the ProductCart database:
  • When saved to the database, credit card information is encrypted and can only be decrypted when viewing order details via the secure Control Panel.
  • Credit card information is never included in any e-mail sent by ProductCart to either the customer or the store administrator.
  • Our shopping cart software contains a feature that allows store managers to easily purge all credit card information saved to the ProductCart database (if any) at any time. The "Purge Credit Card Numbers" feature can be accessed from the "Orders" menu.
  • The Card Validation code is NEVER saved to the store ProductCart database, under any circumstance.

Merchant Requirements for Securing Cardholder Information

TO: All Merchants
FROM: American Express®, Diners Club®, Discover® Card, JCB®, MasterCard International®, Visa® U.S.A.
RE: Merchant Requirements for Securing Cardholder Information
The rising incidence of stolen cardholder account data is a major concern for all participants in the payment industry. As a result of these thefts, merchants and financial institutions suffer fraud losses and unanticipated operational expenses, and consumers are inconvenienced significantly. To protect your business, your customers (cardholders), and the integrity of the payment system, each of the card companies has in place a set of requirements governing the safekeeping of account information. This document gives a brief overview of the most critical aspects of those requirements.

Summary of Card Company Requirements Governing Cardholder Information Security 
Storage of Cardholder Information
  • Do not store the following under any circumstance:
    – Full contents of any track from the magnetic stripe on the back of the card.
    – Card-validation code—the three-digit value printed on the signature panel of a MasterCard®, Visa®, Discover®, JCB®, or Diners Club® card, and four-digit code printed on the front of an American Express® card.
  • Store only that portion of the customer’s account information that is essential to your business—i.e. name, account number or expiration date.
  • Store all material containing this information (e.g., authorization logs, transaction reports, transaction receipts, car rental agreements, and carbons) in a secure area limited to authorized personnel.
Destruction of Cardholder Information
  • Destroy or purge all media containing obsolete transaction data with cardholder information.
Use of Agents or Third Parties (Vendors, Processors, Software Providers, Payment Gateways, or Other Service Providers)
  • Advise each merchant bank or processing contact (representing each of your card brands) of any agents that engage in, or propose to engage in, the processing or storage of transaction data on your behalf—regardless of the manner or duration of such activities.
  • Make sure these agents adhere to all rules and regulations governing cardholder information security. Any violation by your agent may result in unnecessary financial exposure and inconvenience to your business.
Reporting a Security Incident
  • In the event that transaction data is accessed or retrieved by any unauthorized entity, notify the merchant bank or processing contact for each card brand immediately.
  • This report will not only minimize risk to the payment system, but protect your customers in the most responsible manner. Systems and procedures are in place to immediately stop the unauthorized use of compromised data, but are effective only when you do your part to promptly report a security incident.
We continue to work on your behalf to reduce payment card fraud, and offer this communication to enhance your awareness, minimize risk, and protect your customers. If you have any questions or would like to have more information, please visit our web sites or contact your representatives for any of the card brands sponsoring this correspondence.

 

Ask us about our shopping carts  Early Impact Knowledge Base  Early Impact Software Store
Latest press release : Other PR : Blog : Newsletters : Sign up for our newsletter  
Ecommerce shopping carts : Why ProductCart : Reviews : Store : Sign in : How to Buy : Support Policy : Site Map : Wiki : Home
Many major ecommerce providers are our partners in that their products and services are integrated into our shopping cart software ProductCart ecommerce software includes a shipping module approved to work with FedEx and UPS. ProductCart synchronizer for use with QuickBooks providers true synchronization between your ecommerce store and QuickBooks With ProductCart you can take products and make them eBay listings ProductCart shopping carts support all PayPal payment options Our shopping cart software supports a variety of Google products and services like Google Checkout Reviews written about our ecommerce software
Early Impact, Inc. Founded 2001. 23120 Alicia Parkway, Ste 202, Mission Viejo, CA 92692 Tel: (800) 804-1680 - Contact us via e-mail Follow us on twitter Read our blog
Copyright© 2001-2009 Early Impact, Inc. All rights reserved. ProductCart® is a registered trademark of Early Impact.