Does Elliott Encrypt Credit Card Number in The Database?

Q - Recently, we were asked if we are PCI (Payment Card Industry) compliant.  One of the subjects that came up is whether or not Elliott stores credit card numbers in its database with encryption.  Can you tell me if  credit card numbers stored in Elliott are encrypted and how they are encrypted?

A - Credit card numbers stored in the Elliott eContact database are encrypted with 128-bit encryption. If the table that contains the credit card number is ever comprised, the perpetrator will not be able to decrypt the credit card number unless they have two keys: (1) The "Credit Card Master Password," which was assigned by the user when they first started to use the Elliott credit card solution; and (2) an internal super secret password only a few people at Netcellent know.

Even though Elliott encrypts and stores credit card numbers safely in the database, we are moving away from storing credit card numbers locally. That is to say, we suggest that our customers do not store credit card numbers locally. 

Generally speaking, it requires a lot more than just encrypting credit card numbers in the database to be PCI compliant. Once you cross the bridge of storing credit card numbers in your local database, then you will have to meet several stringent requirements to achieve PCI compliance status. This includes how often you force your users to change their passwords; the strength of the password (number of digits, mix of upper and lower case, numeric and special characters); what your policy is on terminating a login when terminating an employee; what your network topology is; whether your local database is on a different zone of the firewall so that access is isolated through certain port numbers only; whether or not you have a DMS zone,.etc. The requirements are very hefty, which is understandable given the number of incidents of credit card databases lost by Home Depot, Target and Sony.

Our strategy to move our customers toward PCI compliance is to use Payware Connect. Payware Connect is a cloud-based payment gateway solution provided by Verifone. For each credit card transaction, Payware Connect returns a 9-digit unique ID, which we called TroutD. Elliott stores this TroutD in our credit card log history. We recommend that our customers not store credit card numbers locally. Instead, we use a method in Elliott to charge and refund by referencing this TroutD. The TroutD is only usable by the particular merchant that originally processed that credit card transaction.  There is no sensitivity involved in storing TroutD locally. If anybody was able to steal the TroutD data, it won't be of any value to them. By using the TroutD to charge credit cards by reference ID, our customers do not have to store credit card numbers locally. This greatly simplifies the PCI compliance requirement.

Payware Connect is not free. Users need to pay a few cents per transaction on top of their regular merchant fee. If you are interested in moving toward with integrated credit card processing in Elliott, you will need to speak to our merchant service provider partner to setup a merchant account with extremely competitive merchant rate.  Just give the Netcellent sales department a call at 888-595-3818.

To find out how to process credit cards by using reference ID in Elliott, please refer to the following URL:

Credit Card Processing

  1. How to Process a Force Credit Card Transaction?
  2. Credit Card Processing Frequently Asked Questions
  3. Payware PC Server Actively Refuses Credit Card Transaction
  4. Does Elliott Encrypt Credit Card Number in The Database?
  5. How to Reverse Credit Card Sales?
  6. Credit Card Transaction Time Out
  7. Procedure to Process Credit Card by Reference ID
  8. How to Charge a Credit Card If Pre-Authorized for the Wrong Customer
  9. Payware Connect Communication Error
  10. What Happens if Credit Card PreAuth Is Not Followed by Completion?
  11. Credit Card Processing Error: Chk Viawarp For Dupl
  12. What Does Error Code 2029999 Mean in Payware Connect SIMEvent.Log File?
  13. I Receive "A call to SSPI failed, see inner exception" Message During Credit Card Processing
  14. Credit Card Payments in Elliott but Not in Payment Gateway
  15. Feature - Support for Verifone Point Devices with Card Chip Technology
  16. Error with Payware Connect - The remote certificate is invalid according to the validation procedure
  17. How to Find Orders That Have Been Pre-Authorized for Credit Card Charge
  18. Feature - Online Credit Card Interface Level 2 Support
  19. How to Handle and Prevent Credit Card Duplicate Charges
  20. Invalid Tran Counter [99...99] with POINT Interface When Charging a Credit Card
  21. How to Set Up MX915 POS Device for Static Network IP Address
  22. Receive "Input parameter INVOICE assigned invalid value" with POS Credit Card Charge
  23. How to Reprint a Credit Card Receipt
  24. Does Elliott Support Credit Card Pre-Authorization Transactions?
  25. What Is the Credit Card Authorization Member Field for?
  26. Selling Non-Approved Items Can Cause Credit Card Processing TERM ID ERROR

Feedback and Knowledge Base