For many ecommerce developers, the thought of designing a system to store the credit card data of their clients’ customers is chilling.

For good reason. Determined hackers can compromise the most sophisticated network by combining simple, free tools with a little effort. In fact, the cyber-criminals behind the famed TJ Max and Heartland Payment Systems breaches used novice techniques like War Driving and SQL Injections to access the retailers’ networks.

If hackers can penetrate the network of a global enterprise, imagine what they can do to your clients’ small businesses. It’s a scary proposition, no doubt, but it shouldn’t keep you from going down that path when a project requires it.

Managing Credit Card Data

The first (and perhaps most important challenge) you’ll face with such an ecommerce development project is credit card collection, storage, and handling. One of the easiest and least risky options is to offload, via an API, the storage and handling of credit card numbers to a payment gateway that “hides” credit card data – Authorize.net, PayPal, BluePay or the like. If the credit card data is passed directly from the client (browser) to the gateway, without passing through your client’s web server, you’ll reduce your liability as the developer and help keep your client’s ecommerce site protected.

However, this solution many not work in all situations or for all clients for, at least, a few reasons.

1. Complicated recurring billing. If your client has a complicated recurring billing structure wherein payments vary in time, frequency, amount, or purpose; or if your client’s customers use purchase orders, your client may need to keep the raw credit card numbers available for the flexibility. Your client can still use tokens and offload the recurring billing to some credit-card-obscuring payment gateways as mentioned above, but again the need to process or manage customer data can be project specific.
2. Save on Interchange fees. All credit-card merchant-account providers charge an Interchange fee, and these fees can and do vary from provider to provider. So for some potential clients managing customer credit card data can be well worth the risk if doing so allows them to get a significantly better fee structure.
3. Offloading credit-card-storage is not enough. If credit card data passes through your client’s web server, whether the business stores that data or not, the system you develop needs to be PCI compliant. In short, whenever possible, choose a solution that never exposes your web server and your client’s ecommerce business to customer data. But when a project does call for credit data transfer or storage, you’ll need to build a Payment Card Industry compliant system that hackers cannot easily overcome.

(more…)