I plan on using CIM for processing transaction, but I also need to store SSNs and EINs for W-9/1099 reasons.
Can CIM be used to store and retrieve this info?
My assumption based on what I've read is that I cannot becasue a) you can't retreive with CIM b) it would be stored in custom fields that are not secure and dont follow PCI models.
If it is not possible, what are the recommendations for storing this information?
03-08-2012 12:30 PM
I don't think there are any set standards for storing SSN's, though I could be wrong. If you're going to be storing them, I suggest getting hosting at a PCI-certified hoster (this may require getting your own server, but those are going for only like $150-$200 a month now) and implementing at least the SAQ-C requirements. As far as the database end of things goes, always store the numbers encyrpted in a fixed-length field and write over them before you eliminate the record, this makes sure they aren't floating around on the hard disk (at least unless your server is using virtual memory). Won't necessarily be impossible for someone with hands-on access to the server to retrieve an SSN, but it'll be difficult. Remotely, someone would of course have to break into your hosting, but that should be foiled if you're using good hosting and following proper procedures regarding not leaking passwords to people you don't trust.
03-08-2012 01:44 PM