[thelist] storing user information and allowing them to"finishlater" and payment issues

Nan Harbison nan at nanharbison.com
Tue Dec 2 06:03:15 CST 2008

Hi Lauri,

Wow, thanks for this. I was very paranoid about security, so I hope I am
complying, but I will have to read all this information.
You must have to be logged in to see the two links below because I was
redirected to a session timeout page, which was blank. I would really like
to see what is in these pages, can you let me know how you got to these


-----Original Message-----
From: Lauri [mailto:lauri_lists at tharapita.com] 
Sent: Tuesday, December 02, 2008 2:31 AM
To: thelist at lists.evolt.org; nan at nanharbison.com
Subject: RE: [thelist] storing user information and allowing them
to"finishlater" and payment issues


> are they paying for what they're registering for? not sure what you're 
> doing, so this is a guess, but if you're filling in registration for a 
> service or product, and payment information will be required, why 
> would you NOT put them on the same page?
> other than technical reasons (which aren't the client's problem :)

Since we're speaking about credit cards, there is the matter of PCI DSS
(Payment Card Industry Data Security Standard) compliance. Check out
https://www.pcisecuritystandards.org/ for more and specifically these two
FAQ entries:
http://selfservice.talisma.com/display/2/kb/article.aspx?aid=5769 and
http://selfservice.talisma.com/display/2/kb/article.aspx?aid=5785 . 

Small merchants and even payment processors could previously pretty much do
whatever they wanted to do, but they're all on the list of being clamped
down on. There are many merchants and even a few payment service providers
who aren't yet PCI compliant, but most of them have been set a deadline
already. There are also a few who haven't had a reality check yet. New
merchants generally are required to comply with PCI right out of the gate
unless they use the redirect/indirect integration method where they redirect
to the payment provider for payment detail capture. 

PCI DSS itself is not hugely complicated, but it is expensive for small
merchants. It varies with the volumes you're processing, but generally
you'll need at least two sysops (for split encryption key knowledge), 4+
production boxes, segregation of duties in development and deployment and
code reviews. 



More information about the thelist mailing list