[thelist] how secure to store credit cards

Erik Mattheis gozz at gozz.com
Tue Jan 8 18:36:01 CST 2002 

Interesting discussions, however I'm glad to say I don't need to 
understand the bulk of it ... I'm not going to have to store card 
numbers.

>  >Is there a service where the entire transaction could appear to the
>>visitor to occur on the server
>
>No, that's a violation of ethics and legal code. The cardholder has a
>right to know what domain their information is being submitted to.

Hmm, I think I must have asked the question in a misleading manner - 
I meant "transaction" in the sense of billing the card, not the 
transaction between the visitor and website.

What I was looking for is exactly authorizenet.com "ADC direct 
response" method of interacting with their service ... The webserver 
acts as a client to to their servers, which carry out the transaction 
and return a response code.

My concern now is a brief mention that making the webserver act as a 
secure client might be difficult for some developers ... what's 
involved in this? Anything? Is it that my server is going want to use 
it's own certificate when it sees <cfhttp url="https://xxx"> but 
server it's being a client to needs to use it's certificate?

>But only a fool would allow you "have to have complete control over
>all the HTML." on a page on their server if they are conducting
>transactions.  The only way you are going to have complete control
>is to take complete responsibility: SSL enable your own server,
>store the data on your server, etc.

Take a look at the paragraph under the heading "ADC Direct Connect" 
... everything happens on the merchant's server except the charge 
authorization and storage of the card number, etc - the customer 
never leaves the site, but the actual approval and charge is done at 
Authorize.net.

>Here's something else to think about, does your customer know
>and trust your client, know and trust your security? Of course not.
>Instead of seeing a third party web page as a problem try looking at
>it as a feature. Make it clear to the consumer that their transaction
>is being done on a different server,

I do see your point. I am using Verisign's Payflow Link for another 
site, rather the client does - but client has had email and telephone 
correspondence with their customers by the time they charge the card; 
they've explained the whole process in personal emails and telephone 
calls - built trust - in the situation I'm dealing with now, there 
will never be any contact with the customers other than automatically 
generated email messages - and for me at least, I'm not going to give 
my bank card number to a site I hadn't heard of if I'm buying 
something from another site. (and PayPal, Yahoo! etc are not options).

Besides, again, the visual design of every page is important for this 
project ... I doubt Bank of America has a Kitchy! Flash! Animated! 
template option.

Thanks for all the discussion, this really helps.

-- 

__________________________________________
- Erik Mattheis

(612) 377 2272
http://goZz.com/

__________________________________________

More information about the thelist mailing list