At Fri, 22 Feb 2008 20:45:33 -0500 Will Loving <will at dedicationtechnologies.com> wrote: > > ** The author of this post was a Good Dobee. > ** You too can help the group > ** Fill out the survey/skills inventory in the member's area. > ** If you did, we all thank you. > > > I've been following this thread with some interest as I'm needing to address > some similar issues. A couple of reasons why I know some clients might want > to store the CC information are: > > 1. The need to make recurring installment payments on a purchase > > 2. They do NOT want to use a service that charges the card immediately - > even though it might be more secure - because they need to insure that the > item being purchased (for example, registering for a class) is both > appropriate for and still available. Once approval is made the CC > transaction is run. Clients that have used services that charge the card > immediately in this type of situation report having to reverse up to 25% of > the charges for various reasons, which is a real waste of time. > > If someone has experience with either of these scenarios I would be > interested in hearing your thoughts... I use PayPal and one customer 'made a mistake' (used the wrong card) and then made the payment *again*. It was trivial to refund the extra payment, including the processing fee. > > Will > > Will Loving, President > Dedication Technologies, Inc. > > > on 2/21/08 11:00 AM, Robert Heller at heller at deepsoft.com wrote: > > > I'm not sure -- probably not. The entire CC number should be encrypted > > and none of it sent via E-Mail (even using encryption) -- the E-Mail > > should just notify that a transaction has occurred and needs attending > > to. Anything stored on your server can be compromised, unless you > > spend essentially a full time effort to protect it. > > > > The database login should also use SSL (or use SSH). The passphrase > > should not be stored on the server in any form -- if anything, just a > > one-way cypher should be used. > > > >> - Is there a better way? > > > > Your client should just 'upgrade' his/her CC processing to include a > > direct on-line CC processing system. Is there some reason NOT to do > > this? There are basically two main options (both are secure): > > > > 1) Your client collects the CC info (using a SSL connection) and connects > > to the CC processing service (also with https (SSL)). Your client's web > > server discards the original CC info and only stores the transaction id > > returned by the CC processing service. > > > > 2) The 'go to checkout' button re-directs to the CC processing > > service's SSL web site, passing the shopping cart as a pile of 'hidden' > > CGI variables (along with things like client id and so on). Your > > client's shopping cart software (CGI/PHP script) never sees any > > sensitive info -- the CC info is collected by the CC processing > > service. Again your client just has a transaction code. > > > > Essentially, the cost in time/effort to protect the CC info, might exceed > > the 'cost' of going to an on-line CC processing service. PayPal > > provides such services -- no monthly fees and a fairly modest fee for > > each transaction. And no, your client's customers don't need a PayPal > > account to make a purchase. > > > > > > At Thu, 21 Feb 2008 07:10:00 -0500 Peter Hutchins <peter at litmusdesigns.com> > > wrote: > > > >> > >> I'd like to run a development concept past the security minded folks > >> out there for some critical feedback: > >> > >> I'm setting up a shopping cart for a client who wants to process > >> credit card purchases "offline", i.e.: run the transaction through > >> their credit card terminal as though it were a phone order without a > >> web-based payment gateway or merchant account. This obviously requires > >> collecting and storing critical credit card data until the store owner > >> processes the transaction, at which point the critical data can be > >> deleted. > >> > >> Here's my proposed solution for securely handling the data: > >> 1. CC info is gathered in a SSL encrypted form > >> 2. expiration data and ccv are written to a database and encrypted via > >> mysql's AES_ENCRYPT() (this DB is separate from the regular store DB > >> providing separate password protection, in case the first DB is > >> compromised) > >> 3. credit card number is split into two parts, with one half being > >> encrypted and written to the database with the transaction above > >> 4. the other half of the credit card number is written to a file that > >> is encrypted with GnuPG and emailed to the store owner (protecting it > >> with a Private/Public key and passphrase). > >> 5. when the store owner gets the email, he logs into the store admin, > >> views the online credit card info, processes the order and deletes the > >> online data from the database and the email from his inbox. > >> > >> - One issue I see is that the database login and encryption key for > >> that half of the process must be stored on the server, rendering it > >> vulnerable to compromise, but the other half of the CC info is still > >> protected. > >> > >> So, my questions are: > >> - Is this secure "enough"? > > > > >> > >> Thanks! > >> -Peter Hutchins > >> > >> > >> : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : > >> Peter Hutchins > >> Litmus Designs > >> 505 S. Albany St. > >> Ithaca, NY 14850 > >> 413.582.7038 voice > >> 413.517.0596 fax > >> www.litmusdesigns.com > >> > >> web design, custom programming & graphic design > >> : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : > >> > >> > >> MIME-Version: 1.0 > >> > >> _______________________________________________ > >> Hidden-discuss mailing list - home page: http://www.hidden-tech.net > >> Hidden-discuss at lists.hidden-tech.net > >> > >> You are receiving this because you are on the Hidden-Tech Discussion list. > >> If you would like to change your list preferences, Go to the Members > >> page on the Hidden Tech Web site. > >> http://www.hidden-tech.net/members > >> > >> > > -- Robert Heller -- Get the Deepwoods Software FireFox Toolbar! Deepwoods Software -- Linux Installation and Administration http://www.deepsoft.com/ -- Web Hosting, with CGI and Database heller at deepsoft.com -- Contract Programming: C/C++, Tcl/Tk