Prevent users seeing credit card numbers?

Max Classic
#1

We’ve a problem with the paperwork for the credit card companies: Payment Card Industries compliance, or PCI. Our provider has two types of PCI compliance form: if employees just take credit card numbers and pass them on, the form is simple – six fairly straightforward questions. If employees have access to stored credit card data, the form is ridiculously painful: more than 50 questions, each similar to: “Do you do regular full system security audits? Why not?”.

The problem is that for Infusionsoft to take credit card payments the card details need to be entered permanently with the customer record, and an employee can view them on entering their password. There’s no need for this functionality; we never need to see credit card data because Infusionsoft manage all the payments. But we can’t find a way to get rid of it, and for as long as we have it we cannot complete the PCI accreditation.

The only solution we’ve found so far is to stop taking credit card payments, ridiculous as it sounds.

Is there any way to prevent the ‘View credit card’ dialog for users? Could the IFS admins tweak the permissions for that table, or something?

  • Charles
#2

Currently, there is a permission for non-admin users, that can disable this. Admin’s of-course, can still access this, as permissions do not apply to ‘admin’ users.

If the user is not an admin, there is the permission under the ‘Application’ section of permissions called
’Can Reveal Credit Card Data’
This permission controls a user’s ability to view stored credit card data. If it is set to No, the user is not able to see the View Secure Credit Card Info link when managing a customer’s credit card information.

2 Likes
Two factor authentication?
#3

Many thanks, James! That at least gives us a way to negotiate with the Credit Card provider. We might offer to have a separate admin account so that nobody doing day to day activities has access to the card data.

I’ll post here if they accept it - it may be some time before we find out, though!

  • Charles
#4

HI Charles,

There are a number of different levels in the PCI compliance. If you are a small merchant and do not handle the credit cards on your own, you are exempt from needing a PCI compliance of your own. Only admins have access to view the credit card numbers, which is complaint since you can’t not bulk export credit card details.

Please email security@infusionsoft.com and we can help address your needs and get you the right information.

1 Like