[ic] Scary problem with credit cards

Strider Centaur strider@scifi-fantasy.com
Wed, 25 Oct 2000 03:34:08 -0400 

    Thank you,     Thank you,     Thank you,     Thank you,     Thank you,     Thank
you,     Thank you,     Thank you,

    I cant tell you how much this is going to help, I had isolated the encryption
routine in lib/Vend/Order, it seems to try and do a DES encryption, but with your
info I don't even have to worry about any of that.  :-)

    I do plan on using gpg encryption and have already ginned the keys.  Here's
hoping.


Sonny Cook wrote:

> Are you SURE that you want to send people's cc numbers over email?
>
> Credit card processing is a subset of form handling, and as such is
> controlled from the order profile (defined in etc/profiles.order).  There
> are two directives there that will impact this.
>
>         &credit_card=
>         &charge=
>
> For '&credit_card=' the usual options are 'standard keep' standard tells
> it to use the standard encryption (this includes a simple luhn checksum on
> the number) and keep tells it not to erase the number and dates from
> memory.  &charge sets the verification system to use (like cybercharge).
>
> If you set CreditCardAuto it will go ahead and call the encryption routine
> when the cgi variables are updated.  (ie, before the form is handled using
> the profile).  CreditCardAuto will do the same thing that
> &credit_card=standard will do (they call the same routine).
>
> In brief, the encryption routine verfies the dates and does the check on
> the cc_number.  If you type in a bad number it will be caught here.  It
> then goes ahead and encrypts the date and number and returns it into a
> variable called mv_credit_card_info.  It erases from memory
> mv_credit_card_number (that's why you don't see it).  If do not set
> CreditCardAuto and set '&credit_card=standard keep' in the profiles.order
> file.  (Or you could just not set either.)  Then the credit card number
> should make it into the email in clear text.  DO NOT DO THIS!!!
>
> If you are considering sending cc nums over unencrypted channels (like
> email) I strongly invite you to consider this alternative:
>
> Use pgp or gpg and generate yourself a public/private key.  Put the public
> key on the IC server and use it to encrypt the cc num et all into
> mv_credit_card_info.  Have IC mail this to you and then decrypt it using
> the private key.  This is in-fact the way it was designed to work.
>
> Hope this helped.
>
> ---
> Sonny Cook
> Akopia
>
> "I don't want fifteen dollars."  --Franklin D. Rooselvelt
>
> On Tue, 24 Oct 2000, Strider Centaur wrote:
>
> >     This is scary, for some reason the credit card number is not being
> > displayed on the e-mail being sent to the order-to email address, we get
> > everything but the actual number.
> >
> >     We have made changes to the checkout.html page ( and Im sure we must
> > have broken this ) but for the life of me it all looks right.
> >
> >     All we did was turn the SELECT where you would normally have
> > selected you payment method into a string and moved the variables of
> > that into a hidden input tag.   That all seems to work because we are
> > always prompted for the credit card number.  And if we enter a bad card
> > number we get the (Credit card fails tests.)  message.  So it looks like
> > its processing it to that point.
> >
> >     We have CreditCardAuto set to Yes but not Encryptor defined.   If we
> > set CreditCardAuto to No or commented out we keep getting CC failed
> > encryption messages.
> >
> >     Any suggestions or advice is greatly appreciated.
> >
> >
> > --
> > Strider Centaur
> > HTTP://www.Scifi-Fantasy.com
> >
> >    " It is my observation that unless you really understand the issues, you are
> > hardly in a position to criticize.   Nearly all Linux users have used Windows,
> > but very few Windows users have used Linux. " -- Me
> >
> >
> >
> >
> > _______________________________________________
> > Interchange-users mailing list
> > Interchange-users@www.minivend.com
> > http://www.minivend.com/mailman/listinfo/interchange-users
> >
>
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@www.minivend.com
> http://www.minivend.com/mailman/listinfo/interchange-users

--
Strider Centaur
HTTP://www.Scifi-Fantasy.com

   " It is my observation that unless you really understand the issues, you are
hardly in a position to criticize.   Nearly all Linux users have used Windows,
but very few Windows users have used Linux. " -- Me