1

I have a form on a SSL secured website that contains credit card number and its type (no CCV nor the expiration date). When the user submits the form, an email is sent to the management with all the submitted information. Nothing is stored in the database in the process.

Do I need to do anything else besides securing the website with HTTPS?

Thanks!

mvovchak
  • 291
  • 5
  • 13

2 Answers2

2

Since you accept credit card information, you must be PCI compliant.

From the FAQ:

Q: To whom does PCI apply?

A: PCI applies to ANY organization or merchant, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Q: How do I report an organization for violating PCI?

A: Businesses that are found to be out of compliance with PCI may be subject to fines by the entity they use to process their credit card transactions. Businesses that have a data breach where credit card data is actually stolen will be subject to much larger fines and fees from the banks, card brands, etc., and are required to report the breach, which quickly makes the news and causes further reputational damage.

And also this:

Q: Am I PCI compliant if I have an SSL certificate?

A: No. SSL certificates do not secure a Web server from malicious attacks or intrusions.

Community
  • 1
  • 1
David Schwartz
  • 179,497
  • 17
  • 214
  • 278
2

If you are submitting any credit card information then the answer is yes! Sending a credit card in an email is a huge no-no!

  1. You might not be storing the numbers on a local server but it transmits through email servers! An attacker can access that information!
  2. If anyone ever changes the email address on the form then it can go to a third party. This is very insecure.
  3. You cannot ever send credit card numbers in the clear. The numbers must be encrypted before, during, and after transmission (storage); and notably the full-card number should only be displayed in full if absolutely necessary. Otherwise you can display the last 4, but only if absolutely necessary to handle a business function.
  4. Not only does your form need to be secure but all hardware and networks the numbers reside on.

I recommend taking this offline immediately, and destroy all emails ASAP. Then go and read the PCI compliance documentation, and/or consider using a PCI compliant payment interface such as authorize.net for example.

Shawn
  • 3,583
  • 8
  • 46
  • 63