[thelist] More E-Commerce Questions (Liability, Encryption)

Charles F. Johnson charles at littlegreenfootballs.com
Mon Jun 25 17:13:59 CDT 2001


Beau Hartshorne <beau at pair.com> typed:

> I've decided that the best way to accept credit cards that are to me
> manually processed is to encrypt the credit card information and either
> e-mail it (via PGP or GnuPG email) or store it (via a PHP encryption
> library) into the database.
> 
> I'll probably just design the shopping cart on my own, and use PayPal to
> process the payment. I've read too many headlines that read "Russian hacker
> steals database full of credit card numbers" to walk blindly into this.
> Thanks for everyone's help.

The best way to ensure that something like that never happens to you is to
*not* store credit info on your server for any longer than it takes someone
to read it. And of course, the page that accepts the card # must be securely
encrypted.

For one of our clients we set up a system that takes transaction info and
stores it in a password-protected directory. When an order is placed, the
client gets an email notifying them about it, with no info except the
customer's name and email address. Then they browse to a special script
located in the same securely-accessed password-protected directory, which
displays the latest transactions on screen -- and immediately deletes them
from the server. The client then saves the info on their local system.

Assuming the client stays on top of things, this is about as safe as
possible; even if someone manages to hack in, they'll only get a few numbers
instead of a whole database.

charles johnson
lgf web design
http://littlegreenfootballs.com





More information about the thelist mailing list