Q - Recently, we were asked if we are PCI (Payment Card Industry) compliant. One of the subjects that came up is whether or not Elliott stores credit card numbers in its database with encryption. Can you tell me if credit card numbers stored in Elliott are encrypted and how they are encrypted?
A - Credit card numbers stored in the Elliott eContact database are encrypted with 128-bit encryption. If the table that contains the credit card number is ever comprised, the perpetrator will not be able to decrypt the credit card number unless they have two keys: (1) The "Credit Card Master Password," which was assigned by the user when they first started to use the Elliott credit card solution; and (2) an internal super secret password only a few people at Netcellent know.
Even though Elliott encrypts and stores credit card numbers safely in the database, we are moving away from storing credit card numbers locally. That is to say, we suggest that our customers do not store credit card numbers locally.
Generally speaking, it requires a lot more than just encrypting credit card numbers in the database to be PCI compliant. Once you cross the bridge of storing credit card numbers in your local database, then you will have to meet several stringent requirements to achieve PCI compliance status. This includes how often you force your users to change their passwords; the strength of the password (number of digits, mix of upper and lower case, numeric and special characters); what your policy is on terminating a login when terminating an employee; what your network topology is; whether your local database is on a different zone of the firewall so that access is isolated through certain port numbers only; whether or not you have a DMS zone,.etc. The requirements are very hefty, which is understandable given the number of incidents of credit card databases lost by Home Depot, Target and Sony.
Our strategy to move our customers toward PCI compliance is to use Payware Connect. Payware Connect is a cloud-based payment gateway solution provided by Verifone. For each credit card transaction, Payware Connect returns a 9-digit unique ID, which we called TroutD. Elliott stores this TroutD in our credit card log history. We recommend that our customers not store credit card numbers locally. Instead, we use a method in Elliott to charge and refund by referencing this TroutD. The TroutD is only usable by the particular merchant that originally processed that credit card transaction. There is no sensitivity involved in storing TroutD locally. If anybody was able to steal the TroutD data, it won't be of any value to them. By using the TroutD to charge credit cards by reference ID, our customers do not have to store credit card numbers locally. This greatly simplifies the PCI compliance requirement.
Payware Connect is not free. Users need to pay a few cents per transaction on top of their regular merchant fee. If you are interested in moving toward with integrated credit card processing in Elliott, you will need to speak to our merchant service provider partner to setup a merchant account with extremely competitive merchant rate. Just give the Netcellent sales department a call at 888-595-3818.
To find out how to process credit cards by using reference ID in Elliott, please refer to the following URL: