Yes the module stores the credit card numbers. We have built and modified all our modules that process, store and transmit credit card information to be fully PCI compliant. We have implemented PCI standards regarding secure storage of data, strong access control, and other requirements.
- Credit Card Encryption – All our modules store credit card numbers in the database using RSA 256 bit encryption which is an approved encryption by PCI. In the cart their is the option to turn off the storage of credit card numbers.
- Card Security Code – CVV/CID on the back of a credit card is collected from the user and sent to the payment gateway for authorization but is never stored in the database.
- SSL – All our products fully support SSL
- Hack Proof - Our products have undergone rigourous testing validation for SQL injection and cross site scripting to prevent unauthorized access to the database.
- Sensitive customer data like passwords are encrypted using 256 bit encryption.
- Our modules are programmed to prevent cross site scripting and sql injection attacks.
The following are PCI requirements that are specific to your installation and need to be followed in order for you to be PCI compliant
- In your web.config file connection string use integrated sql security instead of mixed. SQL server integrated security is more secure
- Make sure permissions are locked down on sql server to the minimum required by your application
- Never use the sql server sa password
- The rest of the pci requirements are related to hosting, network, Windows and SQL Server configuration and lockdown and other physical security requirements.
-Scott