0

On my e-store I wish to allow customers to buy store credit, which could later be used to purchase items from the store. The vision is that the customer would send some actual money to my account via e.g. PayPal/Credit Card/Whatever and that amount would then appear on their profile. E.g. if a customer carries out a credit card transaction worth of $1000, on my store in her profile she could then see something like "Wallet balance: $1000". During checkout she could choose to pay either by regular means or use this local credit.

Questions:

  1. I would not be storing any super-sensitive customer data such as credit card numbers or whatnot in my databases. On the other hand, I guess I would be storing the user's credit (more likely the transactions and the final balance would be inferred). Are there any potential PCI-compliance issues there?
  2. Do simple vault services exist, which I could trust to store this data? Would there be a point though? I am already recording transactions in my DBs.

Off-topic: I have my reasons for wanting this functionality but perhaps there is something inherently wrong with it?

Avius
  • 377
  • 1
  • 9

1 Answers1

2

PCI compliance is for credit card data (and by extension people expect the same from other real payment methods). PCI stands for "Payment Card Industry".

The process of a user sending you real money in exchange for "internet points" needs to be PCI compliant.

Whatever you do after with the "internet points" is your thing. Whether they get lost because you send real world goods (shop), or they get lost because another user pressed a button (game) or because of third party events (bets) is up to you. There are no regulations except for angry users if you do it wrong.

nvoigt
  • 7,271
  • 3
  • 22
  • 26