[ic] Scary problem with credit cards

Sonny Cook sonny@akopia.com
Wed, 25 Oct 2000 01:23:00 -0500 (CDT) 

Are you SURE that you want to send people's cc numbers over email?

Credit card processing is a subset of form handling, and as such is
controlled from the order profile (defined in etc/profiles.order).  There
are two directives there that will impact this.

	&credit_card=
	&charge=

For '&credit_card=' the usual options are 'standard keep' standard tells
it to use the standard encryption (this includes a simple luhn checksum on
the number) and keep tells it not to erase the number and dates from
memory.  &charge sets the verification system to use (like cybercharge).

If you set CreditCardAuto it will go ahead and call the encryption routine
when the cgi variables are updated.  (ie, before the form is handled using
the profile).  CreditCardAuto will do the same thing that
&credit_card=standard will do (they call the same routine).

In brief, the encryption routine verfies the dates and does the check on
the cc_number.  If you type in a bad number it will be caught here.  It
then goes ahead and encrypts the date and number and returns it into a
variable called mv_credit_card_info.  It erases from memory
mv_credit_card_number (that's why you don't see it).  If do not set
CreditCardAuto and set '&credit_card=standard keep' in the profiles.order
file.  (Or you could just not set either.)  Then the credit card number
should make it into the email in clear text.  DO NOT DO THIS!!!

If you are considering sending cc nums over unencrypted channels (like
email) I strongly invite you to consider this alternative:

Use pgp or gpg and generate yourself a public/private key.  Put the public
key on the IC server and use it to encrypt the cc num et all into
mv_credit_card_info.  Have IC mail this to you and then decrypt it using
the private key.  This is in-fact the way it was designed to work.

Hope this helped.

---
Sonny Cook 
Akopia

"I don't want fifteen dollars."  --Franklin D. Rooselvelt

On Tue, 24 Oct 2000, Strider Centaur wrote:

>     This is scary, for some reason the credit card number is not being
> displayed on the e-mail being sent to the order-to email address, we get
> everything but the actual number.
> 
>     We have made changes to the checkout.html page ( and Im sure we must
> have broken this ) but for the life of me it all looks right.
> 
>     All we did was turn the SELECT where you would normally have
> selected you payment method into a string and moved the variables of
> that into a hidden input tag.   That all seems to work because we are
> always prompted for the credit card number.  And if we enter a bad card
> number we get the (Credit card fails tests.)  message.  So it looks like
> its processing it to that point.
> 
>     We have CreditCardAuto set to Yes but not Encryptor defined.   If we
> set CreditCardAuto to No or commented out we keep getting CC failed
> encryption messages.
> 
>     Any suggestions or advice is greatly appreciated.
> 
> 
> --
> Strider Centaur
> HTTP://www.Scifi-Fantasy.com
> 
>    " It is my observation that unless you really understand the issues, you are
> hardly in a position to criticize.   Nearly all Linux users have used Windows,
> but very few Windows users have used Linux. " -- Me
> 
> 
> 
> 
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@www.minivend.com
> http://www.minivend.com/mailman/listinfo/interchange-users
>