: Do I need any special permission to have a form that requests a credit card number? Just request, not storing in a database I'm using PayPal REST API to make calls using credit card numbers.

@Heady270

If you are going to use Paypal REST API then you need to ensure you are PCI Compliant. ( Which involves alot more than a privacy policy and ssl cert)


If you use the PayPal REST APIs for accepting credit card payments,
you handle card data directly and will need to ensure you are PCI
compliant.

developer.paypal.com/docs/integration/direct/accept-credit-cards/ www.pcisecuritystandards.org/

Vote Up Vote Down

@Ann8826881

You are confusing me. You say on one hand that you are not storing the credit card number, but then you say you can sell it.

I would not do either to tell you the truth.

People do not want their information to be sold especially credit card numbers. This is a bad thing. You can use the information to complete the transaction and for partner applications, but not to sell credit card numbers on the open market. You will get into trouble eventually.

However, if that is what you are doing, make sure that you have a solid privacy policy in place written by a lawyer who is familiar with these things and force a user to click a check-box confirming that they have read the privacy policy. Then store the user information, less credit card though I would consider the last 4 digits, along with the transaction time and the fact that the check-box was checked. As well, you will have to clearly define the activities and limits of activities within your privacy policy. You will need to specifically list how and to whom you provide user information to and what that specific information is so that the user is properly informed. Also, you will have to use HTTPS.

Otherwise, you will be sued. It will just be a matter of time and you will likely lose.

Vote Up Vote Down