[thelist] Shopping Sites, Credit Cards

David Bindel dbindel at austin.rr.com
Thu Jun 27 13:18:01 CDT 2002


From: "Michael Mell" <mike at nthwave.net>
> I'm going to be setting up cc transactions right soon myself. The client
wants
> a One-Click-y kind of thing where we store the credit card with our
CreditCard
> Processor. All we store is an encrypted password. After the user's first
> transaction with us, the CreditCard Processor has their card number
related to
> the password. On the user's second transaction, we request the password,
not
> the card number. When we request the CreditCard Processor to validate the
> purchase, we merely send the password, not the card.
>
> Anyone built a system like this? Which Card Processors will handle this?
What
> are the risks/benefits?

I'm assuming that you are designing this system yourself, so here goes:

First of all, you definitely need to store more than just a password.  At a
minimum, you will also need a corresponding username to go with the
password.  Here's an example of what could happen if you implemented JUST a
password:

----------
Customer #1 ("C1") orders a product from your website.  The website asks
what he would like his "future purchase password" to be, and the C1 types in
"qwerty".

Customer #2 ("C2") comes along and makes an order on your website also.
Then the website asks for his purchase password wants to be, so C2 says
"qwerty".  The website then informs him that that particular password is
already taken.  So C2 decides to make his purchase using the password
"qwerty".... which actually uses C1's credit card information.  The WRONG
customer, C1, would be charged for C2's purchase.
----------

Now if you had used a username / password pair, yes, the C2 WOULD have been
informed that the username was already taken, BUT he would still have to
take a stab in the dark at what the password for that username would be.

Just try to think of what COULD happen and be sure you don't leave any big
loopholes like that open.

You should also realize that many credit card processing systems offer this
feature already, so instead of building your own you could look into paying
someone else for processing service.  If you get a good popular processing
service, odds are that most of the security holes will have been caught and
fixed.

Good luck!

David Bindel




More information about the thelist mailing list