New to LS Retail.
Does any one have an idea where in LS Retail the credit cards numbers and amount paid are stored? Trans Payment Entry have a field called ‘card or account’ and some numbers are stored there, are they credit card numbers? Please help.
Thanks.
Hi Imran,
I hope that they are not there! If they are then LS Retail / Axapta is not PCI compliant.
Really?. The requirement is - the customer wants to reconsile the credits cards payments transactions statement they get from the bank with the credit payments in NAV. Credit car numbers they get in the statements are not secure -only first four and last four digits are shown. In LS retail credit card transactions are there but no credit card numbers. So the reconsiliation cannot be done for each credit card number right? so only solution i can think of reconsiling total amount that payed by credit cards with total amount in the statements. Please clarify.
thanks.
PCI is the Payment Card Industry’s standards for data security in relation payments with credit cards.
The basic requirement is that you cannot store any credit card numbers (and expiration/cvc codes) in your system. Not even temporary.
That is unless your company is living up to a very long list of additional requirements, such as 24-7 physical surveillance of your data storage rooms, plus that all credit card information are stored encrypted and in a way that no employees who are not permitted can access them.
One of the easiest ways “around” these requirements is to use a payment gateway which is handling these requirements and only returns a “token”, which is then stored in your system. But it’s a token which makes no sense credit card number wise. All you are allowed to store is a number like “1234 56** **** **** 1234”.
When that is said, then I know that many solutions (including credit card add-on’s for Navision and Axapta) still stores the full credit card number, expiration date and cvc codes in the system. And by doing this they are actually in violation with the requirements from ex. Visa and Mastercard.
Why would you need the credit card number to achieve this? Isn’t there a transaction ID associated with each transaction? Could this not be used?
Exactly. Typically you would be using the payment/transaction id as your identification code.
PCI restricts the following (and maybe more)
Unencrypted credit card number
CVV or CVV2
Pin blocks
PIN numbers
Track 1 or 2 data
Any of the above found in databases, log files, audit trails, backup’s etc. can result in serious consequences for the merchant, especially if a compromise has taken place.
In the US, most states have adopted data privacy laws that can result in penalties for mishandling of “personally identifiable data”. And yes, this can include systems VARs that have access to client financial systems.