[clug] The 1st Internet Tax is here.

Daniel Pittman daniel at rimspace.net
Thu Nov 13 00:50:48 GMT 2008

Alex Satrapa <grail at goldweb.com.au> writes:
> On 13/11/2008, at 11:37 , Daniel Pittman wrote:
>> When working for a client who did hold the credit card numbers we
>> actually had a less pleasant situation: we had no option but the PCI
>> audits, which are quite a costly affair.
> Are you talking about the situation where, for example, the credit
> card number is stored in the CRM system to allow regular charges to be
> made for subscription services, while actual payment processing is
> still done by a third party?

No, in this particular case we held the credit card numbers, encrypted,
long enough to deliver them to the third party who ran the service we
acted as a payment gateway for.

So, we actually held them less long than your CRM system would, since
most of them were out the door and securely removed within a few

However, yes, that situation would (as far as I can tell) qualify for
*at least* the minimum level of PCI scrutiny, and possibly more.


More information about the linux mailing list