Before you worry too much about Android security, it might be worth keeping in mind that for Internet-based payments, in most case you only use the clear-text information printed on the outside of card!
Anders On 2011-07-05 20:19, Disconnect wrote: > Before you wandered off into the weeds about your mailserver, you were > starting towards a good point. PCI compliance requires audits, and most > transaction clearinghouses will require you to pass those > audits at whatever level of data handling you are doing. (The > simplest/easiest being "none", where you kick off to checkout or some other > service to handle it and you never interact with the card data > at all..) > > On Tue, Jul 5, 2011 at 1:56 PM, Kevin Chadwick <[email protected] > <mailto:[email protected]>> wrote: > > On Tue, 5 Jul 2011 11:47:27 -0400 > Disconnect wrote: > > > As others have said, the best practice is "don't". > > > > If you absolutely must store it, you are probably doing it wrong. But > if you > > insist on doing it wrong, look into PCI compliance ( > > https://www.pcisecuritystandards.org/) > > That requires paying for audits and usually a secure server where the > data would be stored, though ironically PCI compliance can actually > reduce your server security for some things like OpenBSD passwords. Do > you realise that to support cram-md5 (almost all mail servers do, not > mine, nokia mail clients require it though, grrr!!) the server has to > access the password in plain text unlike plain text over ssl where the > server can have no way of knowing your password without being given your > password. Like your method which isn't just testing the valid password > the key to decrypt this info has to be on the device. A programmable > Android with a gui will never be secure enough for this especially > during it's immaturity. At the very least you'd need great big flashing > disclaimers making your customers run a mile. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected] > <mailto:[email protected]>. > To unsubscribe from this group, send email to > [email protected] > <mailto:android-security-discuss%[email protected]>. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
