-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo All!
> I believe it almost never happens. As I understand the card association > rules, the merchant has to hang on to the data for refund purposes. Nope, all you need to generate a refund is the original transaction ID. At least with the processors I use. You can get the PCI requirements here: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml You are allowed to store the Card number, name and expiration date. Appendix B allows you to store that unencrypted. You are not allowed to store the mag stripe, CVC2 or PIN. RGDS GARY - --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFIwGNoBmnRqz71OvMRAvHmAKCepmVQ4F5fOWdxU5VOD9gTMYW3rACcCWfe Fv3+09X/t92G6Du76Z9Bocs= =YoK0 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
