Details
-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 4.7
-
Fix Version/s: Unscheduled
-
Component/s: None
-
Labels:
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
Description
Provide storage mechanism for tokenised credit card details and api to recover it and rules for presenting the option to pay by 'card on file' which is in fact token on file through the UI.
This is an overview issue - with detail in the subtasks. Our PCI consultant on this is Stephen Besbier from IATS.
A few notes on terms.
- The industry term for storing a token representing a credit card stored & managed by a payment gateway provider is 'card on file' - this is confusing to developers as we store a token not a card & has to be understood to mean storing a token
- it is acceptable to store the token along with expiry date, ?pan? (first & last 4 digits of the credit card) and billing name with the token (but not with the credit card). Storing the ip address is a nice-to-have for forensic & fraud.
The other PCI related issues are around when it's OK to store tokens (two situations - part of a recurring and by form approval on a one-off.) So the questions are around when the offer is made to store the token and when to allow use of it
