[thelist] More E-Commerce Questions (Liability, Encryption)

phil crawford crawford_phil at hotmail.com
Mon Jun 25 17:01:14 CDT 2001


One way to reduce your exposure to hacking is to eliminate the cc#'s (or the 
last 4 digits) from the database once they are processed by the retailer.

Basically the cc#'s are only on the web server from the time an order is 
placed until it is processed.

My client would process the order, which would include running the cc# 
through their machine in their store, and would store the cc# in their 
financial software (this is important for returns/credits).  Once they hit 
the button on our admin interface that they processed the order, the code 
deletes the last four digits of the cc# from the database.

Then when a customer comes back and purchases again, they only have to enter 
the last four digits.

I've never really thought too much about this, but it has been working fine 
for about 2 years.


>From: "Beau Hartshorne" <beau at pair.com>
>Reply-To: thelist at lists.evolt.org
>To: "thelist" <thelist at lists.evolt.org>
>Subject: [thelist] More E-Commerce Questions (Liability, Encryption)
>Date: Mon, 25 Jun 2001 09:55:50 -0700
>If I develop an e-commerce site that gets compromised in some way, and some
>hacker manages to snatch up a bunch of CC#'s, who's liable? Is it the
>merchant, the host or the programmer? Can the merchant or host successfully
>sue the programmer if I do not develop the site properly? Can a contract
>offer protection against this?
>I've decided that the best way to accept credit cards that are to me
>manually processed is to encrypt the credit card information and either
>e-mail it (via PGP or GnuPG email) or store it (via a PHP encryption
>library) into the database.
>I'll probably just design the shopping cart on my own, and use PayPal to
>process the payment. I've read too many headlines that read "Russian hacker
>steals database full of credit card numbers" to walk blindly into this.
>Thanks for everyone's help.
>For unsubscribe and other options, including
>the Tip Harvester and archive of TheList go to:
>http://lists.evolt.org Workers of the Web, evolt !

Get your FREE download of MSN Explorer at http://explorer.msn.com

More information about the thelist mailing list