I'm working on setting up an amember site using Linkpoint for Recurring billing. From my research, it appears that Link Point is capable of handling recurring billing solely on their servers, eliminating the need to store CC information locally on my site. However, the language describing recurring billing and the amember linkpoint plugin seems to state that the current plugin will most definitely be storing credit card information on my server. Is this the case? Does anyone know if using the linkpoint plugin for recurring billing does in fact store cc info in the amember database? Has anyone made any custom mods to the plugin to get around this? thanks
Hello, Yes, aMember will store credit card info on your server in order to do rebills thru linkpoint. Jimmy
That is 100% illegal. You are not allowed to store credit card details on any server unless it has been authorised to do so. If you get checked by any cc company you will shut down and blacklisted instantly. Utter madness.
Hello, I hope you weren't directing the illegal statement at me, I was just delivering the message. I also thinks it crazy to store CC info on your local server but its not illegal if you are PCI DDS compliant and meet the 12 requirements. I personally could never say that any server that I own is 100% secure. I would be relying on software that I didn't write (firewall, antivirus, OS, third-party scripts) to provide the security. Unfortunately if a security breach happens they are not held responsible I would be the one held responsible. The best way to secure a server to to remove it from the network and only deal with physical thiefs but this makes the server kinda of useless. I believe PCI DDS states that under no circumstances are you allowed to physically store the card verfiication code. No exceptions. Since this is the best piece of information to use for fraud protection it really makes the storage of cc info useless in my mind if you care at all about security and fraud. Jimmy
Nono its not directed at you its directed at you at all. It's directed at someone who has designed a system that stores cc information inside it without dictating the necessity to attain PCI certification. Sorry for the confusion, it was late and I was just shocked.
Interesting discussion. There is now a special warning in aMember regarding storing information in database, and it is the merchant personal responsibility to maintain PCI compilance as required by your agreement with credit card company. We could not do that even if we want, because only one section in PCI compilance is about the software, and there is also a lot about security practices and server security. aMember Pro complies with all requirements of PCI certification. Credit card code (so called CVV2) is never stored nor in database, nor in PHP session.
How does aMember perform a recuring billing if the CVV code is not stored? Does the subscriber need to re-enter this info everytime a charge is made?
No. aMember uses CVV for first transaction to additionally validate customer credit card. Then, for all the following rebillings, aMember submits transaction to payment processor without CVV - it is normal, and it is how it supposed to work.
OMG, this must be exactly the reason that I'm receiving so many failures on rebill! Because the cvv code is being passed through the first time only, and never on rebill. What can I do about this, Alex? I'm seeing a large number of rebill failures and this must be why.
Why do you think it is the reason? It is COMPLETELY PROHIBITED to store CVV codes, even in encrypted form, even inside protected environments ! Recurring rebills must be handled fine without CVV codes. If that does not happen, contact your payment processor to find out more information. Provide them with full information, including transaction# and so. Or contact us via helpdesk with aMember CP login info, and transaction# that cause questions. We will help to make correct questions to ask your payment system.
Alex, I just want to say that you're so wonderful to keep so on top of theses boards. I really appreciate it so much. I called my payment processor, First Data, yesterday -- twice, actually -- and all they could tell me is that the problem was on the customer's bank's side; that their banks were rejecting the charges, for a variety of reasons. I just thought that perhaps they were rejecting these rebills, while they had accepted the original charges, because the rebill info wasn't including the CVV codes. I know it's illegal to store those codes, though. I think First Data has some kind of recurring billing system, however, don't know how the Amember plug-in taps into that. I will contact the help desk. Thank you so much!
Just an update that this issue is still plagueing us, and I've been communicating with Anton about it via the helpdesk. I do think that the linkpoint plugin needs to be coded so it interacts with linkpoint's own periodic billing module. Since amember is only sending through the user name, credit card number and expire date, a huge number of our billings are failing, even though the credit card itself is good. We're losing lots of money as a result. Hoping this can get fixed!