[ic] Multi-page checkout with real-time credit card processing

Orko interchange-users@interchange.redhat.com
Sun Mar 24 19:06:07 2002 

<SNIP>
> > Here is my solution:
> > Use &credit_card=standard keep __CREDIT_CARDS_ACCEPTED__ in the profile
> > for the payment_info screen. Modify the payment routine to get the
> > credit card number out of mv_credit_card_info if there is not a cgi
> > mv_credit_card_number. I would use the interchange users key for
> > EncryptKey.
> > 
> > Is this a bad idea? Is there an easier way to do this?
</SNIP>

I personally don't have the secret key on the server that is running
IC.  In fact, none of our online servers has this key.  This ensures
that the only way for someone to get the CC numbers in
mv_credit_card_number would be for them to not only hack into the live
server, but also physically break into our office and steal the data off
of the only computer that has the secret key ( or got to our backups in
our offsite safe ).

There is a reason why IC is so finicky about not storing the CC number
unless it is encrypted.

The University of British Columbia recently contacted my bank (two
months ago).  It seems that back in May of 2001 they had their site
hacked and credit card numbers that they had stored where comprimised. 
This doesn't mean that they were actually used, or unencrypted, or even
copied off of the server, the security assesment team that they used
determined that there was a *possibility* that the cards could have been
unencrypted using the information stored on their servers.

This meant that they had to contact every single bank that held an
account that used any of the CC numbers that were comprimised.  All of
the cards were forced to be canceled, and everyone, including me, had to
wait until the new ones arrived.  Do you think that the UBC had any
costs involved in this?  You bet your APR they did.  just the legal
costs alone so that they could hold onto their merchant accounts would
be mind-boggling.

So should we make the sites more secure, or make them easier to use and
more streamlined to the customor's purchase?  I say both.  I would
strongly advise anyone to be careful not to cross the line into "unsafe
territory" just to make more sales.

-- orko

> > 
> > -- 
> > Bill Carr
> > Worldwide Impact
> > bill@worldwideimpact.com
> > 413-253-6700
> > 
> > _______________________________________________
> > interchange-users mailing list
> > interchange-users@interchange.redhat.com
> > http://interchange.redhat.com/mailman/listinfo/interchange-users
> 
> -- 
> 
> Christopher F. Miller, Publisher                               cfm@maine.com
> MaineStreet Communications, Inc           208 Portland Road, Gray, ME  04039
> 1.207.657.5078                                         http://www.maine.com/
> Content/site management, online commerce, internet integration, Debian linux
> _______________________________________________
> interchange-users mailing list
> interchange-users@interchange.redhat.com
> http://interchange.redhat.com/mailman/listinfo/interchange-users
> 
> 
> 
> 
> 
> 
> 
-- 
Office: (360)697-1603
  Cell: (360)271-0796