[thelist] More E-Commerce Questions (Liability, Encryption)

Beau Hartshorne beau at members.evolt.org
Mon Jun 25 17:39:59 CDT 2001


Charles & Phil:

The problem is that if someone gets into your site between the time the
full cc#s are exposed, and the time that the merchant processes the order,
you end up with some hacker with a few cc#'s. OK, it's not the end of the
world. The merchant, however, might be very upset. The merchant relied on a
professional web programmer to develop a secure online store. The merchant
may have half a dozen VERY unhappy customers who will likely never come
back. So the merchant takes you to court for everything you're worth (or
for whatever your insurance company would put up).

This is my concern.

I would want to encrypt those numbers as soon as the "confirm order" button
was pressed -- even if the numbers were only on the server for a few hours
or days. Even then, a hacker could configure the server to intercept
everything from the web form to the scripting language. In fact, if a
hacker obtained control of the server, any type of credit card transaction
could be compromised (authorize.net, whatever).

So, does anyone have any experience with the legal relationship between
programmer and client? What types of legal issues to web designers and
programmers face? What type of protection do we need? I would rather
protect myself from a lawsuit with something other than insurance.

Thanks,

Beau

-----Original Message-----
From: thelist-admin at lists.evolt.org
[mailto:thelist-admin at lists.evolt.org]On Behalf Of phil crawford
Sent: June 25, 2001 2:46 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] More E-Commerce Questions (Liability, Encryption)


Beau,

One way to reduce your exposure to hacking is to eliminate the cc#'s (or
the
last 4 digits) from the database once they are processed by the retailer.

Basically the cc#'s are only on the web server from the time an order is
placed until it is processed.

My client would process the order, which would include running the cc#
through their machine in their store, and would store the cc# in their
financial software (this is important for returns/credits).  Once they hit
the button on our admin interface that they processed the order, the code
deletes the last four digits of the cc# from the database.

Then when a customer comes back and purchases again, they only have to
enter
the last four digits.

I've never really thought too much about this, but it has been working fine
for about 2 years.

-phil





More information about the thelist mailing list