Before you wandered off into the weeds about your mailserver, you were starting towards a good point. PCI compliance requires audits, and most transaction clearinghouses will require you to pass those audits at whatever level of data handling you are doing. (The simplest/easiest being "none", where you kick off to checkout or some other service to handle it and you never interact with the card data at all..)
On Tue, Jul 5, 2011 at 1:56 PM, Kevin Chadwick <[email protected]>wrote: > On Tue, 5 Jul 2011 11:47:27 -0400 > Disconnect wrote: > > > As others have said, the best practice is "don't". > > > > If you absolutely must store it, you are probably doing it wrong. But if > you > > insist on doing it wrong, look into PCI compliance ( > > https://www.pcisecuritystandards.org/) > > That requires paying for audits and usually a secure server where the > data would be stored, though ironically PCI compliance can actually > reduce your server security for some things like OpenBSD passwords. Do > you realise that to support cram-md5 (almost all mail servers do, not > mine, nokia mail clients require it though, grrr!!) the server has to > access the password in plain text unlike plain text over ssl where the > server can have no way of knowing your password without being given your > password. Like your method which isn't just testing the valid password > the key to decrypt this info has to be on the device. A programmable > Android with a gui will never be secure enough for this especially > during it's immaturity. At the very least you'd need great big flashing > disclaimers making your customers run a mile. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
