[ic] How to get Credit Card # in admin

cfm@maine.com cfm@maine.com
Thu, 5 Apr 2001 09:45:18 -0400


On Thu, Apr 05, 2001 at 07:57:18AM -0400, Mike Heins wrote:
> Quoting Bob Puff@NLE (bob@nleaudio.com):
> > Hi Gang,
> > 
> > Tonight I was trying to get the credit card info to appear in the admin page
> > for orders.

...

> Once again, I will never help you get an unencrypted credit card number on
> displayed. And I hope no one else will. 

Mike and I disagree on credit cards.  Me, I think they exist specifically
to enable commerce in untrusted environments.  There is only incidental
liability to the shopper.

That is absolutely NOT true of the relationship between the merchant and
the merchant bank.  It's only a matter of time before merchant banks
require "data security" policies.  Putting something on a "secure server"
means little more than the shopper can be relatively certain that you 
are who you say you are.  Even that is questionable, now that I can get
a cert in 2 hours with no supporting backup for a startup company.

> > (the admin interface is now on a secure server, so worry not about security
> > issues)
> 
> Not so. What happens when your system gets cracked? Credit card numbers are
> there for the taking.
> 

90% of security breaches are internal.  Of the remaining 10%, 90% are
system failures.  Then we can start talking about criminal intent, where
the secure server/encryption comes in.  Your concept of "secure server"
is ***way*** off base.  Think about the whole process as a security
issue.  If your clients are unable to process PGP mail and have to pick
up orders in the clear manually, there is no security; client data and
order integrity are likely going to be bigger issues than credit cards.
Charge them more and train them.

Perception is entirely a different issue, so many secure sites with certs
and throw the cc numbers out in the dumpster.

There are exceptions to every rule; in a call center/ecommerce environment 
it makes sense to have credit cards available to the reps dealing with 
customers (blank them after a billing cycle).  Internet: no, trained staff
with policies: yes, secure: no, customer service requirement: yes.

-- 

Christopher F. Miller, Publisher                             cfm@maine.com
MaineStreet Communications, Inc         208 Portland Road, Gray, ME  04039
1.207.657.5078                                       http://www.maine.com/
Content management, electronic commerce, internet integration, Debian linux