[Hidden-tech] Shopping cart security

Robert Heller heller at deepsoft.com
Sun Feb 24 20:04:31 EST 2008
Previous message: [Hidden-tech] Shopping cart security
Next message: [Hidden-tech] Shopping cart security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At Fri, 22 Feb 2008 20:45:33 -0500 Will Loving <will at dedicationtechnologies.com> wrote:

> 
>    ** The author of this post was a Good Dobee.
>    ** You too can help the group
>    ** Fill out the survey/skills inventory in the member's area.
>    ** If you did, we all thank you.
> 
> 
> I've been following this thread with some interest as I'm needing to address
> some similar issues. A couple of reasons why I know some clients might want
> to store the CC information are:
> 
> 1. The need to make recurring installment payments on a purchase
> 
> 2. They do NOT want to use a service that charges the card immediately -
> even though it might be more secure - because they need to insure that the
> item being purchased (for example, registering for a class) is both
> appropriate for and still available. Once approval is made the CC
> transaction is run. Clients that have used services that charge the card
> immediately in this type of situation report having to reverse up to 25% of
> the charges for various reasons, which is a real waste of time.
> 
> If someone has experience with either of these scenarios I would be
> interested in hearing your thoughts...

I use PayPal and one customer 'made a mistake' (used the wrong card) and
then made the payment *again*.  It was trivial to refund the extra
payment, including the processing fee.

> 
> Will
> 
> Will Loving, President
> Dedication Technologies, Inc.
> 
> 
> on 2/21/08 11:00 AM, Robert Heller at heller at deepsoft.com wrote:
> 
> > I'm not sure -- probably not.  The entire CC number should be encrypted
> > and none of it sent via E-Mail (even using encryption) -- the E-Mail
> > should just notify that a transaction has occurred and needs attending
> > to.  Anything stored on your server can be compromised, unless you
> > spend essentially a full time effort to protect it.
> > 
> > The database login should also use SSL (or use SSH).  The passphrase
> > should not be stored on the server in any form -- if anything, just a
> > one-way cypher should be used.
> > 
> >> - Is there a better way?
> > 
> > Your client should just 'upgrade' his/her CC processing to include a
> > direct on-line CC processing system.  Is there some reason NOT to do
> > this? There are basically two main options (both are secure):
> > 
> > 1) Your client collects the CC info (using a SSL connection) and connects
> > to the CC processing service (also with https (SSL)).  Your client's web
> > server discards the original CC info and only stores the transaction id
> > returned by the CC processing service.
> > 
> > 2) The 'go to checkout' button re-directs to the CC processing
> > service's SSL web site, passing the shopping cart as a pile of 'hidden'
> > CGI variables (along with things like client id and so on).  Your
> > client's shopping cart software (CGI/PHP script) never sees any
> > sensitive info -- the CC info is collected by the CC processing
> > service.  Again your client just has a transaction code.
> > 
> > Essentially, the cost in time/effort to protect the CC info, might exceed
> > the 'cost' of going to an on-line CC processing service.  PayPal
> > provides such services -- no monthly fees and a fairly modest fee for
> > each transaction. And no, your client's customers don't need a PayPal
> > account to make a purchase.
> > 
> > 
> > At Thu, 21 Feb 2008 07:10:00 -0500 Peter Hutchins <peter at litmusdesigns.com>
> > wrote:
> > 
> >> 
> >> I'd like to run a development concept past the security minded folks
> >> out there for some critical feedback:
> >> 
> >> I'm setting up a shopping cart for a client who wants to process
> >> credit card purchases "offline", i.e.: run the transaction through
> >> their credit card terminal as though it were a phone order without a
> >> web-based payment gateway or merchant account. This obviously requires
> >> collecting and storing critical credit card data until the store owner
> >> processes the transaction, at which point the critical data can be
> >> deleted.
> >> 
> >> Here's my proposed solution for securely handling the data:
> >> 1. CC info is gathered in a SSL encrypted form
> >> 2. expiration data and ccv are written to a database and encrypted via
> >> mysql's AES_ENCRYPT() (this DB is separate from the regular store DB
> >> providing separate password protection, in case the first DB is
> >> compromised)
> >> 3. credit card number is split into two parts, with one half being
> >> encrypted and written to the database with the transaction above
> >> 4. the other half of the credit card number is written to a file that
> >> is encrypted with GnuPG and emailed to the store owner (protecting it
> >> with a Private/Public key and passphrase).
> >> 5. when the store owner gets the email, he logs into the store admin,
> >> views the online credit card info, processes the order and deletes the
> >> online data from the database and the email from his inbox.
> >> 
> >> - One issue I see is that the database login and encryption key for
> >> that half of the process must be stored on the server, rendering it
> >> vulnerable to compromise, but the other half of the CC info is still
> >> protected.
> >> 
> >> So, my questions are:
> >> - Is this secure "enough"?
> > 
> 
> >> 
> >> Thanks!
> >> -Peter Hutchins
> >> 
> >> 
> >> : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
> >> Peter Hutchins
> >> Litmus Designs
> >> 505 S. Albany St.
> >> Ithaca, NY 14850
> >> 413.582.7038 voice
> >> 413.517.0596 fax
> >> www.litmusdesigns.com
> >> 
> >> web design, custom programming & graphic design
> >> : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
> >> 
> >> 
> >> MIME-Version: 1.0
> >> 
> >> _______________________________________________
> >> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> >> Hidden-discuss at lists.hidden-tech.net
> >> 
> >> You are receiving this because you are on the Hidden-Tech Discussion list.
> >> If you would like to change your list preferences, Go to the Members
> >> page on the Hidden Tech Web site.
> >> http://www.hidden-tech.net/members
> >> 
> >>  
> 
> 

-- 
Robert Heller             -- Get the Deepwoods Software FireFox Toolbar!
Deepwoods Software        -- Linux Installation and Administration
http://www.deepsoft.com/  -- Web Hosting, with CGI and Database
heller at deepsoft.com       -- Contract Programming: C/C++, Tcl/Tk
Previous message: [Hidden-tech] Shopping cart security
Next message: [Hidden-tech] Shopping cart security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Hidden-discuss mailing list