[ic] Scary problem with credit cards
Wed, 25 Oct 2000 03:34:08 -0400
Thank you, Thank you, Thank you, Thank you, Thank you, Thank
you, Thank you, Thank you,
I cant tell you how much this is going to help, I had isolated the encryption
routine in lib/Vend/Order, it seems to try and do a DES encryption, but with your
info I don't even have to worry about any of that. :-)
I do plan on using gpg encryption and have already ginned the keys. Here's
Sonny Cook wrote:
> Are you SURE that you want to send people's cc numbers over email?
> Credit card processing is a subset of form handling, and as such is
> controlled from the order profile (defined in etc/profiles.order). There
> are two directives there that will impact this.
> For '&credit_card=' the usual options are 'standard keep' standard tells
> it to use the standard encryption (this includes a simple luhn checksum on
> the number) and keep tells it not to erase the number and dates from
> memory. &charge sets the verification system to use (like cybercharge).
> If you set CreditCardAuto it will go ahead and call the encryption routine
> when the cgi variables are updated. (ie, before the form is handled using
> the profile). CreditCardAuto will do the same thing that
> &credit_card=standard will do (they call the same routine).
> In brief, the encryption routine verfies the dates and does the check on
> the cc_number. If you type in a bad number it will be caught here. It
> then goes ahead and encrypts the date and number and returns it into a
> variable called mv_credit_card_info. It erases from memory
> mv_credit_card_number (that's why you don't see it). If do not set
> CreditCardAuto and set '&credit_card=standard keep' in the profiles.order
> file. (Or you could just not set either.) Then the credit card number
> should make it into the email in clear text. DO NOT DO THIS!!!
> If you are considering sending cc nums over unencrypted channels (like
> email) I strongly invite you to consider this alternative:
> Use pgp or gpg and generate yourself a public/private key. Put the public
> key on the IC server and use it to encrypt the cc num et all into
> mv_credit_card_info. Have IC mail this to you and then decrypt it using
> the private key. This is in-fact the way it was designed to work.
> Hope this helped.
> Sonny Cook
> "I don't want fifteen dollars." --Franklin D. Rooselvelt
> On Tue, 24 Oct 2000, Strider Centaur wrote:
> > This is scary, for some reason the credit card number is not being
> > displayed on the e-mail being sent to the order-to email address, we get
> > everything but the actual number.
> > We have made changes to the checkout.html page ( and Im sure we must
> > have broken this ) but for the life of me it all looks right.
> > All we did was turn the SELECT where you would normally have
> > selected you payment method into a string and moved the variables of
> > that into a hidden input tag. That all seems to work because we are
> > always prompted for the credit card number. And if we enter a bad card
> > number we get the (Credit card fails tests.) message. So it looks like
> > its processing it to that point.
> > We have CreditCardAuto set to Yes but not Encryptor defined. If we
> > set CreditCardAuto to No or commented out we keep getting CC failed
> > encryption messages.
> > Any suggestions or advice is greatly appreciated.
> > --
> > Strider Centaur
> > HTTP://www.Scifi-Fantasy.com
> > " It is my observation that unless you really understand the issues, you are
> > hardly in a position to criticize. Nearly all Linux users have used Windows,
> > but very few Windows users have used Linux. " -- Me
> > _______________________________________________
> > Interchange-users mailing list
> > Interchangeemail@example.com
> > http://www.minivend.com/mailman/listinfo/interchange-users
> Interchange-users mailing list
" It is my observation that unless you really understand the issues, you are
hardly in a position to criticize. Nearly all Linux users have used Windows,
but very few Windows users have used Linux. " -- Me