[ic] How to get Credit Card # in admin

Mike Heins mikeh@minivend.com
Thu, 5 Apr 2001 14:02:07 -0400 

Quoting Bob Puff@NLE (bob@nleaudio.com):
> > Not so. What happens when your system gets cracked? Credit card numbers are
> > there for the taking.
> 
> If the system gets cracked, credit card numbers are there for the taking even
> if it's not in the admin.  As was stated before, there are a few files that
> store the credit card number, that anyone with root access can easily find.
> Just have a look in the ORDERS directory.  Plain text credit card numbers.

That is prior to using the recommended encryption. Before your store
goes live, you should set the main route encrypt_program to a good value:

  Route main encrypt_program "gpg -r you@yours.com -e -a --always-trust --batch"

or remove mv_credit_card_info from the etc/report file.

It is a difficult situation when distributing a program. If I remove
[value mv_credit_card_info] from the output, then we will get a slew of
questions about "where is the credit card info". If we set things up to
require GPG by default, then that makes things very difficult for testing.

I should probably remove the individual_track and track setting from the
default route, or set behavior when encrypt_program=null to say "CREDIT
CARD INFO REMOVED SINCE NOT ENCRYPTED". That second is better, I think,
and I will do it. We will have to live with the inevitable questions,
though I think it will be better now that GPG and PGP is in wide use.

Bottom line is, before enabling a catalog to go live, you should obtain
and set up GPG and set up for encryption as is recommended in the docs
and FAQ.

Thinking about it, maybe I will set the demo to be:

    Variable  ENCRYPTOR        echo Encryption not enabled yet. 
    EncryptProgram             __ENCRYPTOR__
    Route main encrypt_program "__ENCRYPTOR__"

That should tell people what is going on, yet not cause encryption
errors in the checkout process. That is the ticket.

I may not always seem like it, but I am grateful for all the feedback
and ideas I get from all of you. Thanks, Bob.

-- 
Red Hat, Inc., 131 Willow Lane, Floor 2, Oxford, OH  45056
phone +1.513.523.7621 fax 7501 <mheins@redhat.com>

Fast, reliable, cheap.  Pick two and we'll talk.  -- unknown