I had to investigate this a little. From what I can see, PCI covers storage of cardholder data. The pieces of sensitive data which can be collected in AbleCommerce include the card number and the security code. Only the card number is ever recorded to the database, and you can even switch this off if you desire within our merchant admin.
If you choose not to store credit card numbers, it seems impossible for your download of the data to violate PCI as there is no storage of sensitive data.
If you choose to store credit card numbers, you must set an encryption key to be PCI compliant (as noted in the secure implementation guide). In that event, DataPort cannot access the card data. You can download it, but it's AES encrypted so the data looks like this:
Code: Select all
<Payment>
<PaymentId>2</PaymentId>
<OrderId>2</OrderId>
<SubscriptionId>0</SubscriptionId>
<PaymentMethodId>6</PaymentMethodId>
<PaymentMethodName>Visa</PaymentMethodName>
<ReferenceNumber>x1111</ReferenceNumber>
<Amount>1190.00</Amount>
<CurrencyCode>USD</CurrencyCode>
<PaymentDate>2009-09-29T09:06:33</PaymentDate>
<PaymentStatusId>0</PaymentStatusId>
<PaymentStatusReason />
<CompletedDate>0001-01-01T00:00:00</CompletedDate>
<EncryptedAccountData>ewMDExbNCRw/5IcowYn/hVeIfaVGLlPZe3kiUGfpWkGE6hlLeRDVoie/riQKsltfZW4gcU48IPqQ7QSZCTpBAC5A5vrPq2K8+pP6TNLQ5g0C0mezWaZYmkL1npgnJDdZwPiCF6pyPGIJCvil56vCtpg5BkVqmzWm4s2N16oUd9c=</EncryptedAccountData>
<ReCrypt>false</ReCrypt>
<Transactions />
</Payment>
I can't absolutely say that downloading of the encrypted data would make you subject to other PCI related rules - the ones related to your network security for example. That's a question only a qualified assessor could answer.
I would say the options are these:
1) create custom reports on the server.
- this is not without it's own considerations... for example if you customized a report so that it could be accessed by the public and showed credit card numbers, that would not be PCI compliant even if our software is PA-DSS certified.
2) Do not store credit card numbers
- the only drawback here is if there is a temporary issue with your realtime gateway, or something goes wrong during the transaction, you have to contact the customer to complete the order. But in this case, it becomes very hard to violate PCI compliance as we have no cardholder data to secure.
3) Download data and build reports locally
- The data download is secure in the sense that it's AES encrypted with a private key that only the server (and your authorized backup persons) have access to. It can't be read without that key. I'm not sure if that qualifies you as having access to cardholder data. But in any case, have you reviewed the self-assessment questionnaire for PCI?
For our upcoming version of DataPort, I am going to ask that we include an option to exclude the encrypted data from the download completely. That will take you back to option #2 with the dataport utility.
