[thelist] how secure to store credit cards
Erik Mattheis
gozz at gozz.com
Tue Jan 8 18:36:01 CST 2002
Interesting discussions, however I'm glad to say I don't need to
understand the bulk of it ... I'm not going to have to store card
numbers.
> >Is there a service where the entire transaction could appear to the
>>visitor to occur on the server
>
>No, that's a violation of ethics and legal code. The cardholder has a
>right to know what domain their information is being submitted to.
Hmm, I think I must have asked the question in a misleading manner -
I meant "transaction" in the sense of billing the card, not the
transaction between the visitor and website.
What I was looking for is exactly authorizenet.com "ADC direct
response" method of interacting with their service ... The webserver
acts as a client to to their servers, which carry out the transaction
and return a response code.
My concern now is a brief mention that making the webserver act as a
secure client might be difficult for some developers ... what's
involved in this? Anything? Is it that my server is going want to use
it's own certificate when it sees <cfhttp url="https://xxx"> but
server it's being a client to needs to use it's certificate?
>But only a fool would allow you "have to have complete control over
>all the HTML." on a page on their server if they are conducting
>transactions. The only way you are going to have complete control
>is to take complete responsibility: SSL enable your own server,
>store the data on your server, etc.
Take a look at the paragraph under the heading "ADC Direct Connect"
... everything happens on the merchant's server except the charge
authorization and storage of the card number, etc - the customer
never leaves the site, but the actual approval and charge is done at
Authorize.net.
>Here's something else to think about, does your customer know
>and trust your client, know and trust your security? Of course not.
>Instead of seeing a third party web page as a problem try looking at
>it as a feature. Make it clear to the consumer that their transaction
>is being done on a different server,
I do see your point. I am using Verisign's Payflow Link for another
site, rather the client does - but client has had email and telephone
correspondence with their customers by the time they charge the card;
they've explained the whole process in personal emails and telephone
calls - built trust - in the situation I'm dealing with now, there
will never be any contact with the customers other than automatically
generated email messages - and for me at least, I'm not going to give
my bank card number to a site I hadn't heard of if I'm buying
something from another site. (and PayPal, Yahoo! etc are not options).
Besides, again, the visual design of every page is important for this
project ... I doubt Bank of America has a Kitchy! Flash! Animated!
template option.
Thanks for all the discussion, this really helps.
--
__________________________________________
- Erik Mattheis
(612) 377 2272
http://goZz.com/
__________________________________________
More information about the thelist
mailing list