More information

DoNotSaveCreditCardInfo

RemoveCreditCardInfo

CreditCardFormat

PCI Compliance

The netFORUM product supports the applicable requirements of Payment Card Industry (PCI) compliance Requirement 3 (Protect Stored Cardholder Data) and Requirement 6 (Develop and Maintain Secure Systems and Applications)

See https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml for more information about these requirements.

All Abila staff that deal with netFORUM have been trained in PCI Compliance. netFORUM complies with PCI requirements no matter what payment gateway you use. But the way netFORUM complies with these requirements varies depending on the type of payment gateway you use.

  • Tokenized Gateway: Examples include Sage and Vantiv. When passing cardholder information to a tokenized gateway, netFORUM never saves the sensitive cardholder information itself. Instead, netFORUM saves the token and the following information:
    • cardholder name

    • expiration date

  • Non-Tokenized Gateway: An example includes PayPal. If the cardholder personal information is saved within netFORUM, that information is encrypted with dynamically generated keys and masked when displayed to the netFORUM user. When cardholder data is transmitted, it is transmitted encrypted through Transport Layer Security (TLS 1.2). The DoNotSaveCreditCardInfo system option can be configured to not store any credit card information. However, doing so will disable the autopay features for membership renewal and installment orders. Using the netFORUM defaults, the following information in stored:

    • encrypted card number

    • authorization and cancellation codes (PayPal only)
    • cardholder name

    • expiration date

In addition, our hosted systems are protected by network and web-application firewalls, intrusion detection and prevention systems, and anti-virus software. We also use file-integrity software and have penetrating testing and vulnerability scanning performed on a regular basis. Our systems are monitored 24 hours a day, seven days a week and housed in a restricted-access facility.

Note: netFORUM does not store the CVV Number for credit cards. The number is transmitted directly to the Gateway and not stored in the database.

Technical Information

  • The following is the stored procedure for removing old credit card data: ac_removecreditcardinfo
  • You can define what your organization considers old credit card information by setting a number of days in the RemoveCreditCardInfo system option. The stored procedure will clear all the credit card information from the database older than the number of days you have entered in the system option. It will NOT however, remove credit card information related to open orders as the information is still needed to complete the processing of these orders.
  • In netFORUM Enterprise, how the credit card is displayed is dictated by the CreditCardFormat system option. The default value is 2;4;* . That is, show first 2 digits and last 4 digits ONLY with the remaining numbers converted to Asterisks ("*"). For example 44**********2324.