PCI Compliance
The NetForum product supports the applicable requirements of Payment Card Industry (PCI) compliance Requirement 3 (Protect Stored Cardholder Data) and Requirement 6 (Develop and Maintain Secure Systems and Applications)
See https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml for more information about these requirements.
Specifically within NetForum, the cardholder PAN is encrypted when saved with strong cryptography and masked when displayed to the user. Cardholder data is transmitted encrypted through a Transport Layer Security (TLS) 1.2. The DoNotSaveCreditCardInfo system option can be configured to not store any credit card information. However, doing so will disable the autopay features for membership renewal and installment orders.
Some additional features we have added for increased protection include no longer storing CVV Numbers and developing a stored procedure that can be set up as a scheduled task to remove old credit card information (See Technical Information).
Our hosted systems are protected by network and web application firewalls, intrusion detection and prevention systems, and anti-virus software. We also use file integrity software and have penetrating testing and vulnerability scanning performed on a regular basis. Our systems are monitored 24 hours a day, seven days a week and housed in a restricted access facility.
The last remaining task of PCI Compliance of Abila as a service provider is the training of Abila staff, which is currently underway.
The NetForum product currently stores the following information:
- User name making the payment
- Date of payment
- PayPal™ authorization and cancellation codes
- Transaction's Reference Number.
- Type of payment (Check, Credit Card, Cash, etc.)
- Last 4 digits of Credit Card (See Technical Information)
- Credit Card Expire Date
- Cardholder Name
- Billing Address
- Shipping Address.
Notes:
- Credit cards are used for recurring billing and in some cases refunds within NetForum thus they are decrypted for these functions .
- We no longer store the CVV Number for credit cards. The number is transmitted directly to PayPal™ and no longer stored in our database.
- The DoNotSaveCreditCardInfo system option can be configured to not store any credit card information. However, doing so will disable the autopay features for membership renewal and installment orders.
Technical Information
- The stored procedure for removing old credit card data is: ac_removecreditcardinfo
- You can define what your organization considers old credit card information by setting a number of days in the RemoveCreditCardInfo system option. The stored procedure will clear all the credit card information from the database older than the number of days you have entered in the system option. It will NOT however, remove credit card information related to open orders as the information is still needed to complete the processing of these orders.
- In NetForum Enterprise, how the credit card is displayed is dictated by the CreditCardFormat system option. The default value is 2;4;* . That is, show first 2 digits and last 4 digits ONLY with the remaining numbers converted to Asterisks ("*"). For example 44**********2324.