The question of whether you should or shouldn't keep anything is a practicality issue. There are quite a few obligations put on you if you store any of the card details in any form - written, electronic or engraved into marble. For example, if you store the card number, and it ends up being stolen, you could be held liable for the losses the cardholder incurs as a result. The terms are outlined in the merchant agreement you signed when you agreed to take on the card merchant facility.
In short, if you store anything you have to go to a lot of lengths to protect the data from malicious or accidental interception - separate database server, encryption, secure transmission between servers etc etc. This applies not only to data stored on your web site servers, but also in your accounting system and in local servers. You have to protect the data from being misused by disgruntled or dishonest employees for example or you could possibly be held liable for any losses incurred by the cardholder. The easiest way to honour your obligations for all this is just to not store the info. There's nothing that says you can't store it. Just that if you do store it, you must do everything practical to ensure it's safe from dishonest, negligent or malicous people who might come in contact with it. Your own bank's merchant services people should tell you whether it's ok to store just the last four digits of the number (your rules might be different from ours), but if it's any help, it's acceptable in Australia to store and print the last four digits in the form you outline. Cheers Mike Kear Windsor, NSW, Australia Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 4/16/06, Adrian Lynch <[EMAIL PROTECTED]> wrote: > I'm about to create a table to hold credit card booking info and I was > wondering what info you can store regarding the card details. I don't keep > the CC number, but does anyone know if it's ok to keep part of it so I can > show details like CC: **** **** **** 1234? > > This is a UK based company if it makes a difference. > > Can anyone point me to any resources about this sort of thing. I've always > been under the impression that I shouldn't keep anything. > > Thanks. > > Adrian Lynch > http://www.halestorm.co.uk/ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:237826 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54