|
wsbr
|
May 22, 2020 at 8:16 am
Hi.
We, unfortunately, had a handful of credit cards that have been fraudulently used the day after we hosted a paid event. I’m wondering if you can give me more details on PCI compliance, etc. and how event espresso handles credit card processing. We have to send an email to our members and want to be sure we give them detailed info. We use authorize.net and have a SSL certificate so felt like we had all the bases covered.
Thanks very much. We have been using Event Espresso for a few years and have really appreciated the service.
|
|
Tony
|
May 22, 2020 at 9:02 am
Hi there,
Firstly I’m sorry this has happened to you, it’s never a good time but now even more so.
I’m wondering if you can give me more details on PCI compliance, etc. and how event espresso handles credit card processing.
The short answer is that the majority of your PCI compliance is outside the scope of Event Espresso.
Depending on the payment method you chose to use there are various different processes to remaining PCI compliant. If you use an ‘Onsite’ payment method in which the user enters the card details on your site then there is much more to PCI Compliance than there is when using an ‘Offsite’ payment method in which the user is directed your payment provider to enter the payment details. However, the majority of what you need to do to be compliant is outside of Event Espresso regardless of the payment method you use, its more to do with your procedures and server.
We have to send an email to our members and want to be sure we give them detailed info.
I’m more than happy to answer any questions you may have, but it sounds like you are expecting some form of PCI compliance from ourselves for your site? Or am I misunderstanding what you are asking for?
We use authorize.net and have a SSL certificate so felt like we had all the bases covered.
Which specific authorize.net payment method are you using (we have a few)? There is much more to PCI Compliance than an SSL certificate and it varies greatly depending on the type of payment method you are using.
|
|
Tony
|
May 22, 2020 at 9:22 am
Also, just to clarify, by this:
We, unfortunately, had a handful of credit cards that have been fraudulently used the day after we hosted a paid event.
Do you mean those cards were compromised, or you had a string of fraudulent transactions go through the site?
I’m assuming the former but just want to be clear.
|
|
wsbr
|
May 22, 2020 at 11:40 am
Thank you for your explanation. We were using Authorize.net AIM. I’ve seen on our website that event espresso only keeps the last 4 digits and nothing else and passes all information to authorize.net. That was helpful.
We had users contact us saying that fraudulent charges were seen on their credit card soon after they had registered for our event.
No, I wasn’t looking for any type of compliance form was just trying to perform some due diligence as we gather information.
|
|
Tony
|
May 22, 2020 at 1:58 pm
We were using Authorize.net AIM. I’ve seen on our website that event espresso only keeps the last 4 digits and nothing else and passes all information to authorize.net.
The card information available to Event Espresso heavily depends on the payment method used. With an onsite payment method such as Auth.net AIM the card details are input on your server and passed onto Auth.net as mentioned, so in those cases we can store the last 4 digits of the card. Had you been using Auth.net Accept we wouldn’t have access to those details and so no card details would have been stored.
But to answer your question the most Event Espresso will store with regards to a card number, is the last 4 digits. We do not (and have no plans to) store full card details within Event Espresso.
We had users contact us saying that fraudulent charges were seen on their credit card soon after they had registered for our event.
I assume you have checked over your site for any malware just to be safe?
No, I wasn’t looking for any type of compliance form was just trying to perform some due diligence as we gather information.
Ok, my apologies.
What sometimes happens is users assume EventEspresso.com (not the plugin) somehow manages all of the PCI Compliance for users using the software. That simply isn’t the case and I couldn’t tell from your question if that is where you were heading.
|
|
wsbr
|
May 22, 2020 at 4:05 pm
Yes, I ran a malware program and nothing was found, checked the server and nothing has recently been accessed on initial view.
Thanks for the info on Authorize.net AIM vs. Authorize.net accept.
Thanks again.
|
