Topic: Data protection laws

Does anyone know whether, by hosting a UK-based shop's website with a US-based hosting company, I'll be breaking Data Protection or other UK laws?

Also, how about security?  I'm using a shared-host environment.  I assume/hope that ZC encrypts things like credit card numbers and the like?  In fact, pretty much any customer-personal-data, come to think of that...?

Are there any other considerations I might have to ... consider?  This is actually my first foray into e-commerce.

Re: Data protection laws

Hi pfm102 (what is your name?)

You can host your shop wherever you want.  If you host in the states you will be subject to that companies terms and conditions.  If you want hosting I can help you out (see www.thehostingshop.co.uk)

Security: I wouldn't want anyone storing my credit card numbers period.  It's not a smart thing to do and if you do do it YOU will be held liable if you get hacked and the card details are used.

ZC doesn't encrypt any data and doesn't normally store the CC number anyway.

You would be best using a payment processor to do it for you and take the risk.

As long as your site has an SSL cert then the data is transferred into the DB in a secure environment.  If the DB isn't in a secure environment then it's not secure.

Kev

Re: Data protection laws

My name's Pete; the nick is my old university login, pretty much untaken where-ever I go.

I've been rather busy; apologies for not coming back.  The day-job gets a bit crazy some of the time.

Anyway.  Been doing a little reading.  I definitely don't want to be storing credit card numbers and such-like.  I intend to use ProtX VSP Direct for my payment processor.

To that end, I gather I should, in Modules -> Payment I should UNinstall "credit card", and probably "The Zen Cart FREE CHARGE CARD", and almost certainly "check/money order" (given that my client has mentioned wanting to take cheques - hey, check/cheque, there's another I18n for you ;-)  ).

I have successfully installed Ceon's Protx module, and am just waiting on their account setup.

How do you normally go about testing out the payment processor?  Do you have a standard set of purchases you run through it in sandbox mode, or what?

Re: Data protection laws

Hey Pete - nice to see you back again.  Isn't it a pain when the day job gets in the way smile  Roll on Organized manic chaos ...

Testing is a brave new world and I tend to take my lead from the clients company testing policy.

Certainly the one key reg to bear in mind is that you can't mix live and test subject data.  Keep one set-up for all financial tests.  The moment you get a real client with data stored in the db the implications of testing change.

Check with the processor how they expect test purchases to be performed.  Given the security implications of getting it wrong, these guys are very happy to help (in most cases).

You need to know does the client require every item to be test purchased or are they happy to see that ZC takes money.  If it's the later get a signed release smile

I try to ensure that test purchases are made on any items that have price variants and / or delivery options.  It's good to prove that things are working as expected.  This is essential for international transactions.

In general as long as you can show that you have tested the system well and there are no obvious gaffs you can start a few refund requests.

If that goes well go live and out of habit I make the first real transaction - again just to be sure.  (you'll note I do this after having previously ensured the refund system does work smile )

Kev