[H-GEN] Credit card security

Frank Brand fbrand at uq.net.au
Fri May 25 01:28:24 EDT 2001


[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

I would talk to the banks about this, they all have there own secure
systems - in fact there was quite a large software programming project to
get high level security and you will need to actually interface with their
systems anyway to automate the payments proceedure (well this is not
mandatory but is certainly a preferred course).

Further there are a number of credit card modules available...I know
ColdFusion has one and I would be very surprised if there was not a credit
card module for php and there is CCVS (IIRC) for Linux. Pretty well every
system I have seen stores the information in a database at the end of the
system. Most of the systems I have seen/used store information in clear text
at its destination but it can be protected along the way by encryption.

PWC has a specialist banking area and they should be able to provide info or
an introduction to some of the banks (eg NAB).

>Like I said, pretty simple, but here are my concerns.
>1. The CC information is stored in the database in clear text.
>2. I'm not sure whether SSL combined with .htaccess security on the web
>server is good enough for this purpose.
>
>I had a couple of thoughts on how to do this better.
>1. Use public key encryption to encrypt the details and send it in the
>email (don't use a database at all).  I don't think this one is
>acceptable since it's possible to lose an order.
>2. Same as above but store the encrypted data in the database and senda
>clear text email as before without the CC details.  The web page would
>give the CC details in an encrypted block that could then be cut/pasted
>into whatever tool was being used by the recipient.



--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.



More information about the General mailing list