[ic] checkout confirmation page

Joshua Rusch interchange-users@icdevgroup.org
Fri Apr 25 19:09:00 2003


>> I'm wondering if there is a secure way in the most recent versions of
>> interchange (4.9.7) to have a confirmation page in checkout, ie have
the
>> credit card number collected on checkout page 1, but do the actual
>> charge upon submitting checkout page 2-which just shows a review of
the
>> information (without showing credit card number of course!).

> There is no secure way in any software that I know of, only insecure
> ways (i.e. storing the credit-card number en-clair on disk). That is
> why we never do it that way.

Thanks for the reply.
I guess I should have asked "Is there a more secure insecure way in
interchange to have a confirmation page?" 
For example, encrypt the cc# before saving it to disk, decrypt it at
charge, and then delete from disk.
I have a feeling we'll end writing some code to do this.

I understand where you're coming from. It's good that you make sure
interchange is never the weakest link in the security chain....but for
what I'm doing, my thinking is that if someone is able to snag #s from
my system, especially if they do it by gaining access to the private
key, they can just as easily get to the interchange code and grab #s
unencrypted as they come in...
I'm not running interchange on any kind of shared server, so I wouldn't
have to worry about any kind of brute force attack on the encrypted #s
unless someone compromised the system.

Are there any issues specific to interchange that I'm not thinking
about? As I am working on my first interchange site, I'm still getting
my feet wet in many areas.

Josh