1. Secure Socket Layer (SSL) Certificate
All pages that collect credit card information on your Website will be done so under SSL. A SSL certificate must be purchased (and renewed yearly)for your Website so all transfers of data between the client and server are encrypted.

2. Real-time Credit Card Processing with a Gateway Processor such as Authorize.net
When using a real-time payment processor you should never have the need to retain credit card information in your database. There simply is no reason to do so. The credit card information is collected (securely under SSL) and passed on to the payment processing networks where it is validated in real-time and the transaction processed. You no longer need it after this point.

If your Website requires recurring billing, the processors can generally handle that on their end as well. For example, with Authorize.net you create a subscription (weekly, monthly, quarterly, etc...) and it will automatically bill the card as each date passes.

This is the safest way to process credit cards on your Website.

3. Manual Offline Processing
Offline processing is the process of collecting (securely under SSL) credit card information on your Website and then manually processing it later. There is no shortage of ECommerce vendors in the world who do this and for a variety of reasons.

1. They do not want to forego the expensive of real-time processing especially when they are new.
2. They offer products or services that require additional input or charges before an accurate total can be obtained. This happens a lot with the shipping of products. Complex items may incur additional shipping charges not known at order time.
3. A transaction is dependent on another event. For example, you may enter an online lottery for concert tickets but you will not be charged unless your name is drawn.

In these situations, additional security measures must be taken.

1. The store information is collected under a Secure Socket Layer (SSL) as it is in any type of credit card transaction (real-time or not).
2. Credit card information (card holder name, card holder address, card number, CVV code, and expiration date) are encrypted prior to being saved to the database. After encryption, the sensitive information goes through another encryption process known as "salting" to further strengthen the encrypted information from being deciphered.
3. Order transactions in the private administrative area of your Website have a "Processed" button. Once you have completed that order and charged the card you must mark the order as processed. This will destroy the credit card information (card holder name, card holder address, card number, CVV code, and expiration date) on file. There is no sense in retaining it.
4. In relation to #3, your Website will be set to automatically delete credit card information from your Website within a certain number of days (preferably within 7 - 30 days) in case there are any orders in your Website that you forgot to mark as processed or you did not process (never should happen).

If you decide to utilize recurring billing under a Website that manually processes credit cards then we will demand that you save that information offline and in a secure location at your office, home, or wherever you do business. We do not encourage clients to retain credit card information in their Website's database for any longer than needed.

4. Transaction Information
With ECommerce stores there should be no reason to retain transaction information. If the card is good, the order goes through, and that is it.

With subscription based services, the expiration date will be updated on the account and the renewal date may be saved. Other than that, there is no reason to keep transaction information. If you are using a gateway processor then that information can be looked up on the processor's system if need be. If you are doing offline processing then there should be no reason to take the transaction information from your offline processor and put it in to your Website's database. If there is some extreme reason why this must be done then all transaction information containing sensitive data will be encrypted via the process in the Manual Offline Processing section above, section 2 above.