>Client is asking me to capture social security, driver’s license and credit card data from users in a Contact Form 7 form. What would you do here?
Run away.
~~You certainly can’t for the CC, PCI rules prevent the capture, transfer and storage of credit card information.~~ Thanks u/Rangerdth for the correction – it’s not prohibited, but you’d be stupid to store CC information, regardless – there’s no need to any more with systems like Stripe built specifically so you don’t touch CC data
The SS and drivers license is uncool as far as a security risk for the users, but not COMPLETELY unheard of (depending on the use case), though I would say fairly unusual.
The credit card stuff is a hard no.
Man, be careful, one breach and they will be naming you in Law suits. Why in the world do you want to live on the edge not being able to sleep at night ?
Walk away and I mean it. The guy asking you to do this, is an idiot and that is what worries me even more.
He doesn’t even know the basics, 0 Compliance skills
I would back away from it if you can afford it.
It doesn’t look like the kind of client that would pay if you decide to not do it like they want it. Seems fishy
If you really need the many and are from third world country or such, i don’t think they can get to you if a lawsuit happens. Document everything about you doing it against your wishes, maybe have it cryptographically notarized and let them deal with their own s™@#t when it happens.
Although this highly unadvisable, using a robust PHP encryption library for DB storage would be the only way to go about this ethically.
What is their point of storing this data?
Also the idea of storing any CC info in a DB is bad, but on a WordPress site, it’s just plain flagrant.
I’d pass on this project. If for some reason you end up doing it, have a lawyer write up an indemnity contract and make them sign it before you do anything. You don’t want to get caught in a lawsuit.
I’d walk away. Not only are you opening yourself up to liability, if they’re not willing to listen to the reasoning of a professional about this, then they’re going to be a pain in the ass client all around.
At the very least write up a contract that includes exactly what they are capturing, the risks associated with that, and a statement along the lines of, “[your company name] has warned and advised you to not keep this data and you have chosen to continue custodianship of the data against this advice. The client agrees to hold harmless and protect [your name and company] or any of its employees for damages due to any breach of security regardless of the cause.” Once you ask them to sign something like that, it may change their tune.
Likely violating many laws. Do some research into PCI compliance as well as privacy laws affecting websites and the like. Then, educate your client. Then may have no clue how much of an ask that is.
I wouldn’t do it. There is possibly some 3rd party options that are trustworthy for the task.
>Client is asking me to capture social security, driver’s license and credit card data from users in a Contact Form 7 form. What would you do here?
Run away.
~~You certainly can’t for the CC, PCI rules prevent the capture, transfer and storage of credit card information.~~ Thanks u/Rangerdth for the correction – it’s not prohibited, but you’d be stupid to store CC information, regardless – there’s no need to any more with systems like Stripe built specifically so you don’t touch CC data
The SS and drivers license is uncool as far as a security risk for the users, but not COMPLETELY unheard of (depending on the use case), though I would say fairly unusual.
The credit card stuff is a hard no.
Man, be careful, one breach and they will be naming you in Law suits. Why in the world do you want to live on the edge not being able to sleep at night ?
Walk away and I mean it. The guy asking you to do this, is an idiot and that is what worries me even more.
He doesn’t even know the basics, 0 Compliance skills
I would back away from it if you can afford it.
It doesn’t look like the kind of client that would pay if you decide to not do it like they want it. Seems fishy
If you really need the many and are from third world country or such, i don’t think they can get to you if a lawsuit happens. Document everything about you doing it against your wishes, maybe have it cryptographically notarized and let them deal with their own s™@#t when it happens.
Although this highly unadvisable, using a robust PHP encryption library for DB storage would be the only way to go about this ethically.
What is their point of storing this data?
Also the idea of storing any CC info in a DB is bad, but on a WordPress site, it’s just plain flagrant.
I’d pass on this project. If for some reason you end up doing it, have a lawyer write up an indemnity contract and make them sign it before you do anything. You don’t want to get caught in a lawsuit.
I’d walk away. Not only are you opening yourself up to liability, if they’re not willing to listen to the reasoning of a professional about this, then they’re going to be a pain in the ass client all around.
At the very least write up a contract that includes exactly what they are capturing, the risks associated with that, and a statement along the lines of, “[your company name] has warned and advised you to not keep this data and you have chosen to continue custodianship of the data against this advice. The client agrees to hold harmless and protect [your name and company] or any of its employees for damages due to any breach of security regardless of the cause.” Once you ask them to sign something like that, it may change their tune.
Likely violating many laws. Do some research into PCI compliance as well as privacy laws affecting websites and the like. Then, educate your client. Then may have no clue how much of an ask that is.
I wouldn’t do it. There is possibly some 3rd party options that are trustworthy for the task.