1/07/2014

Beware of PCI Compliance with Data

When working with data, you need to be aware of the implications of not following protocol.

When I worked for the County Government, we were mandated to have our applications PCI Compliant.

http://www.pcicomplianceguide.org/pcifaqs.php

That meant complying with the rules or face penalties and fines.

And since I supported multiple applications which accepted credit cards, I got to sit in a lot of meetings.

Basically, we could not keep credit card info on site, in paper format, electronic format, etc.

My Java applications had a text box for user to enter their credit card info, pin number, expiration date, etc.

That was a big no no.

So our architect devised a plan to utilized one of the credit card vendor sites, which allowed us to redirect the customer from our site, to theirs, where they paid by credit card, and returned back to our site with confirmation.

Sounds great, right?

Except let me tell you about pissed off customers, upset people and a lot of chaos and mayham.

After we went live, we immediately got complaints.  People claimed they paid, we had no record, the credit card company took their payment.  Somehow they were closing the browser before making the round trip.

And if they didn't make the round trip, we had no confirmation receipt number, so basically we didn't know they paid.  Which resulted in customer paying again, and again.  We even shut their water at their house due to non payment.  And we had people showing up for campsites which they paid, they had a receipt of payment, yet no record of reservation.

Now bring in the client who asked us to do the work.  They were upset.  We had to do a three way validation of the payments, on the credit card side, the bank side and our internal record side.

What a mess.  I ended up finding another job with the School Board.  And the guy that architected the system, he got a promotion to Senior Architect.  Somehow they never got fined for violation of PCI compliance, yet the client had a bad experience as did many of the customers.

For clarification, my code was solid, it accepted the info if the customer paid and the round trip handshake completed, it then updated the Utilities Java Web Service, which updated the database and processed the payment on our side.  I even supported the IVR for Utilities payments, Traffic Fines and Citations, which updated the mainframe using IBM Copybooks and Java Web Services.

I was a real Java Programmer before immersing into Business Intelligence full time.

It's funny how life works.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Thoughts to Ponder