[Hidden-tech] Shopping cart security

Will Loving will at dedicationtechnologies.com
Fri Feb 22 20:45:33 EST 2008


I've been following this thread with some interest as I'm needing to address
some similar issues. A couple of reasons why I know some clients might want
to store the CC information are:

1. The need to make recurring installment payments on a purchase

2. They do NOT want to use a service that charges the card immediately -
even though it might be more secure - because they need to insure that the
item being purchased (for example, registering for a class) is both
appropriate for and still available. Once approval is made the CC
transaction is run. Clients that have used services that charge the card
immediately in this type of situation report having to reverse up to 25% of
the charges for various reasons, which is a real waste of time.

If someone has experience with either of these scenarios I would be
interested in hearing your thoughts...

Will

Will Loving, President
Dedication Technologies, Inc.


on 2/21/08 11:00 AM, Robert Heller at heller at deepsoft.com wrote:

> I'm not sure -- probably not.  The entire CC number should be encrypted
> and none of it sent via E-Mail (even using encryption) -- the E-Mail
> should just notify that a transaction has occurred and needs attending
> to.  Anything stored on your server can be compromised, unless you
> spend essentially a full time effort to protect it.
> 
> The database login should also use SSL (or use SSH).  The passphrase
> should not be stored on the server in any form -- if anything, just a
> one-way cypher should be used.
> 
>> - Is there a better way?
> 
> Your client should just 'upgrade' his/her CC processing to include a
> direct on-line CC processing system.  Is there some reason NOT to do
> this? There are basically two main options (both are secure):
> 
> 1) Your client collects the CC info (using a SSL connection) and connects
> to the CC processing service (also with https (SSL)).  Your client's web
> server discards the original CC info and only stores the transaction id
> returned by the CC processing service.
> 
> 2) The 'go to checkout' button re-directs to the CC processing
> service's SSL web site, passing the shopping cart as a pile of 'hidden'
> CGI variables (along with things like client id and so on).  Your
> client's shopping cart software (CGI/PHP script) never sees any
> sensitive info -- the CC info is collected by the CC processing
> service.  Again your client just has a transaction code.
> 
> Essentially, the cost in time/effort to protect the CC info, might exceed
> the 'cost' of going to an on-line CC processing service.  PayPal
> provides such services -- no monthly fees and a fairly modest fee for
> each transaction. And no, your client's customers don't need a PayPal
> account to make a purchase.
> 
> 
> At Thu, 21 Feb 2008 07:10:00 -0500 Peter Hutchins <peter at litmusdesigns.com>
> wrote:
> 
>> 
>> I'd like to run a development concept past the security minded folks
>> out there for some critical feedback:
>> 
>> I'm setting up a shopping cart for a client who wants to process
>> credit card purchases "offline", i.e.: run the transaction through
>> their credit card terminal as though it were a phone order without a
>> web-based payment gateway or merchant account. This obviously requires
>> collecting and storing critical credit card data until the store owner
>> processes the transaction, at which point the critical data can be
>> deleted.
>> 
>> Here's my proposed solution for securely handling the data:
>> 1. CC info is gathered in a SSL encrypted form
>> 2. expiration data and ccv are written to a database and encrypted via
>> mysql's AES_ENCRYPT() (this DB is separate from the regular store DB
>> providing separate password protection, in case the first DB is
>> compromised)
>> 3. credit card number is split into two parts, with one half being
>> encrypted and written to the database with the transaction above
>> 4. the other half of the credit card number is written to a file that
>> is encrypted with GnuPG and emailed to the store owner (protecting it
>> with a Private/Public key and passphrase).
>> 5. when the store owner gets the email, he logs into the store admin,
>> views the online credit card info, processes the order and deletes the
>> online data from the database and the email from his inbox.
>> 
>> - One issue I see is that the database login and encryption key for
>> that half of the process must be stored on the server, rendering it
>> vulnerable to compromise, but the other half of the CC info is still
>> protected.
>> 
>> So, my questions are:
>> - Is this secure "enough"?
> 

>> 
>> Thanks!
>> -Peter Hutchins
>> 
>> 
>> : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
>> Peter Hutchins
>> Litmus Designs
>> 505 S. Albany St.
>> Ithaca, NY 14850
>> 413.582.7038 voice
>> 413.517.0596 fax
>> www.litmusdesigns.com
>> 
>> web design, custom programming & graphic design
>> : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
>> 
>> 
>> MIME-Version: 1.0
>> 
>> _______________________________________________
>> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
>> Hidden-discuss at lists.hidden-tech.net
>> 
>> You are receiving this because you are on the Hidden-Tech Discussion list.
>> If you would like to change your list preferences, Go to the Members
>> page on the Hidden Tech Web site.
>> http://www.hidden-tech.net/members
>> 
>>  


-- 

William M. Loving
Dedication Technologies, Inc.
7 Coach Lane
Amherst, MA 01002-3304   USA
will at dedicationtechnologies.com
Tel: +1 413 253-7223   (GMT ­5)
Fax: +1 206 202-0476





Google

More information about the Hidden-discuss mailing list