Re: credit card storage help
Hi all, Sorry I'm entering this thread a little late. I noticed some Shift4 references so I decided to chime in. You'll definately want to use some form or tokenization, whether ours or any gateway you decide to use. One product I would like to mention that we offer is i4Go. It is a tokenization piece that takes your entire site and server out of PCI scope -- you are no longer handling card holder data (CHD) and this is what PCI is concerned with. With i4Go you have full control of the transactions (one time charge, recurring billing, two-click check out, etc.) and still never directly handle CHD. You most likely have decided on a solution by now but maybe others are facing the same decision. --Steve P.S. Josheph, thanks for the kind words and I hope all worked out for you. I'm still ashamed the way things went down. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:308745 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: credit card storage help
On Tue, Jul 8, 2008 at 11:23 AM, Steve Sommers [EMAIL PROTECTED] wrote: P.S. Josheph, thanks for the kind words and I hope all worked out for you. I'm still ashamed the way things went down. Hey.. No worries. I call it like I see it and I know Shift4 is a great company for people to use (heck, I helped a small section of it get built, so I KNOW there's some serious security on there). ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:308747 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: credit card storage help
Lookup PCI Compliance you will see the recommended practices. You can store certain as long as you have data encrypted. As well as written policies that detail it and how you handle key management. I am working on a 3DES solution that will be alot cheaper than buying an nChiper or the likes for 25K. Eric Haskins On Fri, May 23, 2008 at 9:27 PM, Mike Kear [EMAIL PROTECTED] wrote: ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:306043 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: credit card storage help
MSSQL has built in DES encryption now. It is very simple to implement. Authorize.net has recurring billing that you can set up through their API so you can avoid keeping the numbers yourself. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:306044 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: credit card storage help
Lookup PCI Compliance you will see the recommended practices. You can store certain as long as you have data encrypted. As well as written policies that detail it and how you handle key management. I am working on a 3DES solution that will be alot cheaper than buying an nChiper or the likes for 25K. Eric Haskins On Fri, May 23, 2008 at 9:27 PM, Mike Kear [EMAIL PROTECTED] wrote: So how do ISPs and other companies handle storing credit cards? I get regularly charged by several companies, not all of whom would be large enough to have dedicated IT departments. Are they storing the card details and hoping for the best? I know there are big billing companies who would be expected to have a pretty serious security environment - Plimus comes to mind there - i have 3 accounts for different vendors with them - but conducting a monthly business that bills clients monthly would be impractical if you couldnt store credit card numbers. For my own hosting company, I keep credit card details in a totally off-line system that never touches the internet. But without being able to bill monthly, hosting would not be viable as a business. I would like to have a much better arrangement - it's highly inconvenient having to bill the cards the way we do. I'd like to be able to automate it some how. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET http://asp.net/ hosting from AUD$15/month On Sat, May 24, 2008 at 5:54 AM, Phillip Vector [EMAIL PROTECTED] wrote: When you talk to Shift4, tell them Joseph Bullock-Palser sent ya. If they say who is that, tell them it's the developer they fired 3 days before Christmas after he moved out to work for them. Good company for security, Pain in the neck HR rep. On Fri, May 23, 2008 at 12:47 PM, Jessica Kennedy [EMAIL PROTECTED] wrote: so you're saying I shouldn't do it??? =) ok, you convinced me... I was pretty nervous about doing that anyway... looks like shift4 will do what I need anyway. and for those of you in a similar situation, i would NOT recommend cardservice international for anything even vaguely large-scale. not got at all... thanks for the advice about saving data as separate encrypted fields... I really don't have any choice but to collect some sensitive info so I will employ that technique... even if the data will only be on the database for a max of 20 min, i'm not taking chances! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:306009 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: credit card storage help
Oh man, (What copany is this for?) You guys are too funny. Serioulsy, I wouldn't get anywhere near credit card numbers. I did for one project and it scared the crap out of me. Let someone else worry about the entire process. Even if it costs the client a bit more. -Original Message- From: Phillip Vector [mailto:[EMAIL PROTECTED] Sent: Thursday, May 22, 2008 3:52 PM To: CF-Talk Subject: Re: credit card storage help Sounds like a management problem then actually.. You may want to check out Shift4. They are pretty cheap and are pretty reliable. I used to work for them and trust me.. Security is #1 for them. If not, then you need to get on the phone with them and complain that they are assisting with fraud or whatever else you can come up with. That becomes a problem with the company. Either that, or store the cards on your site, encrypt them and hope for the best. I'd get in print someplace that your managers know they are taking a risk though and it's not your fault if you get hacked and all the credit card numbers are gone. So... What company is this again? :) On Thu, May 22, 2008 at 12:40 PM, Jessica Kennedy [EMAIL PROTECTED] wrote: Cardservice international... they store partial card #'s for reference if I am not mistaken... they have a reoccurring billing feature on their website, the only problem is that once a person is entered into the reoccurring cycle, they will run the person's credit card over and over and stick us with the fees regardless of how obvious it is the card is going to decline. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305946 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: credit card storage help
Alot if online merchants and offline merchants store your cards. The trick is the encryption. PCI allows for storage but you would need to have some sort of solution for key management and encrypt. Some examples of appliances for this is NChiper http://ncipher.com/products/hardware_security_modules/10/nethsm/ I have done some projects with these in the past they are $$$ and you would need atleast 2 incase one fails. I am working a cheaper solution smaller scale solution. For the people that cant afford 25K each LOL Eric Haskins On Fri, May 23, 2008 at 8:57 AM, Matthew Sievert [EMAIL PROTECTED] wrote: Oh man, (What copany is this for?) You guys are too funny. Serioulsy, I wouldn't get anywhere near credit card numbers. I did for one project and it scared the crap out of me. Let someone else worry about the entire process. Even if it costs the client a bit more. -Original Message- From: Phillip Vector [mailto:[EMAIL PROTECTED] Sent: Thursday, May 22, 2008 3:52 PM To: CF-Talk Subject: Re: credit card storage help Sounds like a management problem then actually.. You may want to check out Shift4. They are pretty cheap and are pretty reliable. I used to work for them and trust me.. Security is #1 for them. If not, then you need to get on the phone with them and complain that they are assisting with fraud or whatever else you can come up with. That becomes a problem with the company. Either that, or store the cards on your site, encrypt them and hope for the best. I'd get in print someplace that your managers know they are taking a risk though and it's not your fault if you get hacked and all the credit card numbers are gone. So... What company is this again? :) On Thu, May 22, 2008 at 12:40 PM, Jessica Kennedy [EMAIL PROTECTED] wrote: Cardservice international... they store partial card #'s for reference if I am not mistaken... they have a reoccurring billing feature on their website, the only problem is that once a person is entered into the reoccurring cycle, they will run the person's credit card over and over and stick us with the fees regardless of how obvious it is the card is going to decline. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305948 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: credit card storage help
so you're saying I shouldn't do it??? =) ok, you convinced me... I was pretty nervous about doing that anyway... looks like shift4 will do what I need anyway. and for those of you in a similar situation, i would NOT recommend cardservice international for anything even vaguely large-scale. not got at all... thanks for the advice about saving data as separate encrypted fields... I really don't have any choice but to collect some sensitive info so I will employ that technique... even if the data will only be on the database for a max of 20 min, i'm not taking chances! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305961 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: credit card storage help
When you talk to Shift4, tell them Joseph Bullock-Palser sent ya. If they say who is that, tell them it's the developer they fired 3 days before Christmas after he moved out to work for them. Good company for security, Pain in the neck HR rep. On Fri, May 23, 2008 at 12:47 PM, Jessica Kennedy [EMAIL PROTECTED] wrote: so you're saying I shouldn't do it??? =) ok, you convinced me... I was pretty nervous about doing that anyway... looks like shift4 will do what I need anyway. and for those of you in a similar situation, i would NOT recommend cardservice international for anything even vaguely large-scale. not got at all... thanks for the advice about saving data as separate encrypted fields... I really don't have any choice but to collect some sensitive info so I will employ that technique... even if the data will only be on the database for a max of 20 min, i'm not taking chances! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305962 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: credit card storage help
So how do ISPs and other companies handle storing credit cards? I get regularly charged by several companies, not all of whom would be large enough to have dedicated IT departments. Are they storing the card details and hoping for the best? I know there are big billing companies who would be expected to have a pretty serious security environment - Plimus comes to mind there - i have 3 accounts for different vendors with them - but conducting a monthly business that bills clients monthly would be impractical if you couldnt store credit card numbers. For my own hosting company, I keep credit card details in a totally off-line system that never touches the internet. But without being able to bill monthly, hosting would not be viable as a business. I would like to have a much better arrangement - it's highly inconvenient having to bill the cards the way we do. I'd like to be able to automate it some how. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On Sat, May 24, 2008 at 5:54 AM, Phillip Vector [EMAIL PROTECTED] wrote: When you talk to Shift4, tell them Joseph Bullock-Palser sent ya. If they say who is that, tell them it's the developer they fired 3 days before Christmas after he moved out to work for them. Good company for security, Pain in the neck HR rep. On Fri, May 23, 2008 at 12:47 PM, Jessica Kennedy [EMAIL PROTECTED] wrote: so you're saying I shouldn't do it??? =) ok, you convinced me... I was pretty nervous about doing that anyway... looks like shift4 will do what I need anyway. and for those of you in a similar situation, i would NOT recommend cardservice international for anything even vaguely large-scale. not got at all... thanks for the advice about saving data as separate encrypted fields... I really don't have any choice but to collect some sensitive info so I will employ that technique... even if the data will only be on the database for a max of 20 min, i'm not taking chances! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305993 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: credit card storage help
That's pretty much it I would think... Encrypted sounds like the only way to do it (and that's not that secure). Can your payment processor handle the storage of your cards? If not, what is the name of the company so I know never to use it. :) On Thu, May 22, 2008 at 11:50 AM, Jessica Kennedy [EMAIL PROTECTED] wrote: I need some help finding a secure way to store credit cards on a website I am working on. I know, I know you shouldn't do it unless you absolutely MUST, but it looks like I absolutely must, sad to say. I have to set up reoccurring payments with credit cards that will notify the user if their card is declined and lock them out of certain website features as well. Coding the above is not a problem, I am just very nervous about keeping credit card information on anyone. I know the card #'s need to be stored encrypted, but that's still a pretty broad range of options... any help would be much appreciated! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305916 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: credit card storage help
Cardservice international... they store partial card #'s for reference if I am not mistaken... they have a reoccurring billing feature on their website, the only problem is that once a person is entered into the reoccurring cycle, they will run the person's credit card over and over and stick us with the fees regardless of how obvious it is the card is going to decline. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305918 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: credit card storage help
Sounds like a management problem then actually.. You may want to check out Shift4. They are pretty cheap and are pretty reliable. I used to work for them and trust me.. Security is #1 for them. If not, then you need to get on the phone with them and complain that they are assisting with fraud or whatever else you can come up with. That becomes a problem with the company. Either that, or store the cards on your site, encrypt them and hope for the best. I'd get in print someplace that your managers know they are taking a risk though and it's not your fault if you get hacked and all the credit card numbers are gone. So... What company is this again? :) On Thu, May 22, 2008 at 12:40 PM, Jessica Kennedy [EMAIL PROTECTED] wrote: Cardservice international... they store partial card #'s for reference if I am not mistaken... they have a reoccurring billing feature on their website, the only problem is that once a person is entered into the reoccurring cycle, they will run the person's credit card over and over and stick us with the fees regardless of how obvious it is the card is going to decline. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305920 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: credit card storage help
Jessica Kennedy wrote: I need some help finding a secure way to store credit cards on a website I am working on. 1. Don't 2. No really, don't I've had to do it once. I wasn't happy about it. I made the client sign a waiver saying that I was in *no* way responsible if anything ever happened and the server was compromised. It still scared the hell out of me, so I had to be devious in the storage. I set up 6 fields in the database. I *split* the card numbers up into six different chunks, merged each one of those chunks back into 6 legit looking card numbers, and then encrypted, using different encryption methods for each field, them all into the six fields. I figured the chances of somebody comprising the database, un-encrypting all six fields, and then figuring out which part of each number needing to be combined together into the real number was pretty slim... Paranoid? Oh yea... Better than nothing ... But hey, DON'T. Seriously. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305931 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: credit card storage help
You're opening yourself up to huge potential liability if anyone ever steals these numbers. Basically, don't. http://usa.visa.com/merchants/risk_management/cisp.html On Thu, May 22, 2008 at 2:50 PM, Jessica Kennedy [EMAIL PROTECTED] wrote: I need some help finding a secure way to store credit cards on a website I am working on. I know, I know you shouldn't do it unless you absolutely MUST, but it looks like I absolutely must, sad to say. I have to set up reoccurring payments with credit cards that will notify the user if their card is declined and lock them out of certain website features as well. Coding the above is not a problem, I am just very nervous about keeping credit card information on anyone. I know the card #'s need to be stored encrypted, but that's still a pretty broad range of options... any help would be much appreciated! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305932 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: credit card storage help
Well, at least you can go back to your boss and tell him that you didn't find a single person who says you should store it. :) On Thu, May 22, 2008 at 4:19 PM, Brian Kotek [EMAIL PROTECTED] wrote: You're opening yourself up to huge potential liability if anyone ever steals these numbers. Basically, don't. http://usa.visa.com/merchants/risk_management/cisp.html On Thu, May 22, 2008 at 2:50 PM, Jessica Kennedy [EMAIL PROTECTED] wrote: I need some help finding a secure way to store credit cards on a website I am working on. I know, I know you shouldn't do it unless you absolutely MUST, but it looks like I absolutely must, sad to say. I have to set up reoccurring payments with credit cards that will notify the user if their card is declined and lock them out of certain website features as well. Coding the above is not a problem, I am just very nervous about keeping credit card information on anyone. I know the card #'s need to be stored encrypted, but that's still a pretty broad range of options... any help would be much appreciated! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305933 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: credit card storage help
You may want to check out Shift4. They are pretty cheap and are pretty reliable. I used to work for them and trust me.. Security is #1 for them. There's another good reason to look at Shift4. They have a tokenization technology in place which allows you to save a token that links to that credit card information on their system without actually saving the card data yourself. This is particularly ideal for recurring transactions where you need to be able to rebill the same card but don't want the liability of saving card data. --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305939 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: credit card storage help
On 5/22/08, Jessica Kennedy [EMAIL PROTECTED] wrote: I need some help finding a secure way to store credit cards on a website I am working on. I know, I know you shouldn't do it unless you absolutely MUST, but it looks like I absolutely must, sad to say. I have to set up reoccurring payments with credit cards that will notify the user if their card is declined and lock them out of certain website features as well. Coding the above is not a problem, I am just very nervous about keeping credit card information on anyone. I wouldn't take the responsibility myself - when I had to do this for a client, I passed the whole card processing and so forth over to WorldPay, and just used their API to do the callback and so forth. -- mac jordan www.webhorus.net www.nibblous.com www.kestrel.org www.jordan-cats.org ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305942 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Credit card storage
I started down a similar path for a client. What I ended up doing, instead, was to write the order forms and processing code in CF and then I converted the final order confirmation page to ASP.net and passed all form values to that for submission to the Cybersource site. My boss knows .NET, so he was nice enough to step thru the CF processing code with me and we wrote the form processing form together to send the post to Cybersource. If anyone wants a copy of that, lemme know. Cheers. -- //SIGNED// Chris Montgomery, Contractor HQ AF Security Forces Center, Antiterrorism Branch 1517 Billy Mitchell Blvd, Bldg 954 Lackland AFB, TX 78236-0119 DSN 312.945.7150 Comm 210.925.7150 -Original Message- From: David Livingston [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 1:35 PM To: CF-Talk Subject: Re: Credit card storage Bank of America now uses cybersource (http://cybersource.com) as their processing service. They do not provide any api's or support for coldfusion. I ended up using their php solution and calling it from the command line using cfexecute. Not the cleanest solution but it works. FYI Dave ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219053 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
And now they've redone it to Cybersource... I looked over the docs not so long ago and I don't think I have ever seen a more complex payment gateway interface, ever. I just got done integrating my cf_ezcart with Cybersource. This was the worst interface I've worked with out of any so far. UGH -- Bud Schneehagen - Tropical Web Creations, Inc. _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Web Based Solutions / eCommerce Development Hosting http://www.twcreations.com/ - http://www.cf-ezcart.com/ Toll Free: 877.207.6397 - Local Int'l Phone/Fax: 386.789.0968 ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219057 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
If you want to write something generic for one or two of my clients I may have a job for you. I have some clients using my CMS for signup stuff that needs this, and one of them is a BofA customer. Let me know off-list if you're interested. Cheers, -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com http://mysecretbase.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219100 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
We use a CFX that does RSA encryption for someone who needed cards to be stored for longer periods. The client pastes in their private key (over ssl) to decrypt the numbers and process them. The numbers themselves are never shown, even over ssl. /k -Original Message- From: Alan Rother [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 9:15 PM To: CF-Talk Subject: Re: Credit card storage I agree with Matt, it's not illegal. It does violate SOME credit card companies policies regarding the proper handling of credit card data. The one exception to the rule is if you encrypt the data when you store it. Don't use a one way hash, you need to use a strong encryption algorithm. Something like blowfish. The only real risk is if you are in a shared hosting environment someone can hack you site in minutes and find the decryption module and suck your database dry. If you are on a shared server I would not store credit card information in your database. There is NO WAY TO PROTECT YOUR DATA. I can't stress this point enough. If I have a website on the same server as you, it would take me a matter of minutes to completely hack your app and database. =] If you are on your own box and you can protect it throughly it would be OK to store the CC info, but I would still advise against it. On 9/21/05, Mike Little [EMAIL PROTECTED] wrote: thanks bryan, i am tending to think that the only option IS to go with a payment server. m. Rather than use a dedicated payment server for their online store, they wish for the transaction including credit card to be stored for retrieval. They would then process the transaction manually using EFTPOS. (each store receives orders based on the billing address entered) Well that is illegal for one thing...if the cc companies catch them they will get spanked hard ;-) You MUST have a merchant acount(s) for ONLINE Txsusing the terminal for online sales is a no no Storing CC numbers opens the site up to an expensive security audit from the cc companies and opens the client (and possibly yourself) to some major liability...DO NOT DO IT UNLESS YOU'RE SURE IT'S SAFE!! My question is, is there a safe way to do this. I am pretty reluctant to store credit card information - it would be in an SQL Server db at my webhost. Yes...but see above ;-) HTH Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com http://www.electricedgesystems.com ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219162 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
It would be completely silly NOT to get a merchant account and do the transactions online in real time. I can't think of an argument in favor of processing transactions in the way you describe that makes any sense. However, I'm not aware of any *law* against storing credit card information. Depending on your client's banking situation, they may be violating their contract if they do it, but it isn't illegal. They will, however, be subject to a tremendous amount of liability if the data is ever compromised. Also, as the developer and a party with specialized knowledge, you could be included personally in any liability suit. I know of one case in the US where this happened and the consultant narrowly escaped being held partially liable for the damage; he still had quite a lot of expenses involved in his defense though. At least limit your liability by documenting your strong objections to storing sensitive financial data -- this kind of documentation was the only reason my friend was NOT held liable in court. --Ferg Mike Little wrote: thanks bryan, i am tending to think that the only option IS to go with a payment server. m. Rather than use a dedicated payment server for their online store, they wish for the transaction including credit card to be stored for retrieval. They would then process the transaction manually using EFTPOS. (each store receives orders based on the billing address entered) Well that is illegal for one thing...if the cc companies catch them they will get spanked hard ;-) You MUST have a merchant acount(s) for ONLINE Txsusing the terminal for online sales is a no no Storing CC numbers opens the site up to an expensive security audit from the cc companies and opens the client (and possibly yourself) to some major liability...DO NOT DO IT UNLESS YOU'RE SURE IT'S SAFE!! My question is, is there a safe way to do this. I am pretty reluctant to store credit card information - it would be in an SQL Server db at my webhost. Yes...but see above ;-) HTH Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218936 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
On Thursday 22 September 2005 02:01, Mike | NZSolutions Ltd wrote: Every job I do for this client is nailed down to the last cent shrug This is what it costs to do business on the internet. You may want to point out that one law suit (or, if in the US, the threat of one) could ruin the company. -- Tom Chiverton Advanced ColdFusion Programmer ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218937 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
yep...I used illegal when I meant to say that the card companies will simply send out the men in black to deal with you ;-) Yes..there si no law...just against card company policy and the intended use of the terminals. Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218942 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
My question is, is there a safe way to do this. I am pretty reluctant to store credit card information I have one client that has insisted on processing their CC order in-house as well. No matter how hard I tried to talk them out of it. What I ended up doing - because I was scared as hell to store a complete number *anywhere*...(and I *know* it's a convoluted mess...) A. First, the entire number is encrypted B. Then 1/2 of it is sent through email to the client along with a false random generated the rest of the number. C. The other 1/2 is stored in the database, along with two additional false fields with random generated encrypted numbers. D. Once they login and retrieve the portion from the database, it's automatically deleted, so nothing stays in the database for over 24 hours. So, I figure if an email is intercepted, and if the encryption is broken, they've only got 1/2 the number at best, and they still have to figure out what half they've got. Same for the database. If anybody breaks in, they'd only get, at best, 24 hours worth of numbers and even if the encryption is broken, they've still got to figure out what fields are real and which ones aren't. This was the best I could figure out at the time this was done. I'm *still* pressuring them to move to a merchant account through their bank for security purposes. I've got a signed disclaimer stating my disapproval of the method being used. Client always knows best, right? Sheesh! -- --- Les Mizzell ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218943 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
Put the fear of legal action and loss of moneythat usually works better than you should really follow the rules ;-) With clients like that I simply say You're fired!! (haven't had to yetbut I've warned that I would not do it the wrong way). Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218945 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
Les... We've used that same method. Storing half and emailing the other half. I've got comments in my code stating that I'm nervous about this part. :) !//-- andy matthews web developer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Les Mizzell [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 9:43 AM To: CF-Talk Subject: Re: Credit card storage My question is, is there a safe way to do this. I am pretty reluctant to store credit card information I have one client that has insisted on processing their CC order in-house as well. No matter how hard I tried to talk them out of it. What I ended up doing - because I was scared as hell to store a complete number *anywhere*...(and I *know* it's a convoluted mess...) A. First, the entire number is encrypted B. Then 1/2 of it is sent through email to the client along with a false random generated the rest of the number. C. The other 1/2 is stored in the database, along with two additional false fields with random generated encrypted numbers. D. Once they login and retrieve the portion from the database, it's automatically deleted, so nothing stays in the database for over 24 hours. So, I figure if an email is intercepted, and if the encryption is broken, they've only got 1/2 the number at best, and they still have to figure out what half they've got. Same for the database. If anybody breaks in, they'd only get, at best, 24 hours worth of numbers and even if the encryption is broken, they've still got to figure out what fields are real and which ones aren't. This was the best I could figure out at the time this was done. I'm *still* pressuring them to move to a merchant account through their bank for security purposes. I've got a signed disclaimer stating my disapproval of the method being used. Client always knows best, right? Sheesh! -- --- Les Mizzell ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218947 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
I have a similar situation with a project I'm working on but it would required me breaking some of the suggestions posted. The project I'm working on is a membership site in which members can be doing multiple transactions within a weeks time. We wanted to allow users to have their CC info stored on our server to allow them faster checkout times for all of these transactions. I believe Walmart and a few other large online stores do this. I was planning on doing some sort of encryption of the numbers and do some of the other confusion based security, but I'm just wondering if anyone else has dealt with anything like this. John Burns Certified Advanced ColdFusion MX Developer Wyle Laboratories, Inc. | Web Developer -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:00 AM To: CF-Talk Subject: RE: Credit card storage Les... We've used that same method. Storing half and emailing the other half. I've got comments in my code stating that I'm nervous about this part. :) !//-- andy matthews web developer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Les Mizzell [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 9:43 AM To: CF-Talk Subject: Re: Credit card storage My question is, is there a safe way to do this. I am pretty reluctant to store credit card information I have one client that has insisted on processing their CC order in-house as well. No matter how hard I tried to talk them out of it. What I ended up doing - because I was scared as hell to store a complete number *anywhere*...(and I *know* it's a convoluted mess...) A. First, the entire number is encrypted B. Then 1/2 of it is sent through email to the client along with a false random generated the rest of the number. C. The other 1/2 is stored in the database, along with two additional false fields with random generated encrypted numbers. D. Once they login and retrieve the portion from the database, it's automatically deleted, so nothing stays in the database for over 24 hours. So, I figure if an email is intercepted, and if the encryption is broken, they've only got 1/2 the number at best, and they still have to figure out what half they've got. Same for the database. If anybody breaks in, they'd only get, at best, 24 hours worth of numbers and even if the encryption is broken, they've still got to figure out what fields are real and which ones aren't. This was the best I could figure out at the time this was done. I'm *still* pressuring them to move to a merchant account through their bank for security purposes. I've got a signed disclaimer stating my disapproval of the method being used. Client always knows best, right? Sheesh! -- --- Les Mizzell ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218951 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
While I can appreciate and agree with everything that is being stated about not storing credit cards, the one issue I constantly run into is this: Even though CC's are processed through an Internet merchant account in real time and not stored on a client's database, clients want to be able to access the number so that they can a) issue refunds/credits or b) have recurring billing, such as would occur with a subscription. I just went out and checked Authorize.net's virtual terminal and in the refund/credit mode, the form requires the full cc number and exp date. In this case should the client just store the last 4 digits of the number and not store the exp date at all, then contact the customer when a refund is to be processed (referencing the ending card digits)? In the case of recurring billing, Authorize.net now includes that as part of their offerings. Unfortunately, most clients get the impression that storing CCs is OK, because they do business with Amazon and GoDaddy, and others which keeps their numbers on file (with the user's permission). I'm sure these companies have multiple layers of security. Thanks, Mark ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218955 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
I think your best bet is to set the customers' accounts up with your processor as recurring payments on a variable timescale, then you can store just the last 4 digits of their card(s) and their account_id in the processor's system. Then when they want to pay for something you show them a list of their card numbers like: Select from your credit cards on file: 8745 9385 and when you submit the transaction you're just hitting your processor for the recurring account. This way the processor is the one storing the financial data and you are protected from liability... --Ferg Burns, John D wrote: I have a similar situation with a project I'm working on but it would required me breaking some of the suggestions posted. The project I'm working on is a membership site in which members can be doing multiple transactions within a weeks time. We wanted to allow users to have their CC info stored on our server to allow them faster checkout times for all of these transactions. I believe Walmart and a few other large online stores do this. I was planning on doing some sort of encryption of the numbers and do some of the other confusion based security, but I'm just wondering if anyone else has dealt with anything like this. John Burns Certified Advanced ColdFusion MX Developer Wyle Laboratories, Inc. | Web Developer -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:00 AM To: CF-Talk Subject: RE: Credit card storage Les... We've used that same method. Storing half and emailing the other half. I've got comments in my code stating that I'm nervous about this part. :) !//-- andy matthews web developer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Les Mizzell [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 9:43 AM To: CF-Talk Subject: Re: Credit card storage My question is, is there a safe way to do this. I am pretty reluctant to store credit card information I have one client that has insisted on processing their CC order in-house as well. No matter how hard I tried to talk them out of it. What I ended up doing - because I was scared as hell to store a complete number *anywhere*...(and I *know* it's a convoluted mess...) A. First, the entire number is encrypted B. Then 1/2 of it is sent through email to the client along with a false random generated the rest of the number. C. The other 1/2 is stored in the database, along with two additional false fields with random generated encrypted numbers. D. Once they login and retrieve the portion from the database, it's automatically deleted, so nothing stays in the database for over 24 hours. So, I figure if an email is intercepted, and if the encryption is broken, they've only got 1/2 the number at best, and they still have to figure out what half they've got. Same for the database. If anybody breaks in, they'd only get, at best, 24 hours worth of numbers and even if the encryption is broken, they've still got to figure out what fields are real and which ones aren't. This was the best I could figure out at the time this was done. I'm *still* pressuring them to move to a merchant account through their bank for security purposes. I've got a signed disclaimer stating my disapproval of the method being used. Client always knows best, right? Sheesh! -- --- Les Mizzell ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218956 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
Sorry, I worded that badly. I meant that you can store only the last 4 digits and the account ID locally and the whole number on the processor's system. That way you don't have the responsibility of actually storing the number. Your customers are likely to be happy that you're providing an extra layer of security for them too. --Ferg Ken Ferguson wrote: I think your best bet is to set the customers' accounts up with your processor as recurring payments on a variable timescale, then you can store just the last 4 digits of their card(s) and their account_id in the processor's system. Then when they want to pay for something you show them a list of their card numbers like: Select from your credit cards on file: 8745 9385 and when you submit the transaction you're just hitting your processor for the recurring account. This way the processor is the one storing the financial data and you are protected from liability... --Ferg Burns, John D wrote: I have a similar situation with a project I'm working on but it would required me breaking some of the suggestions posted. The project I'm working on is a membership site in which members can be doing multiple transactions within a weeks time. We wanted to allow users to have their CC info stored on our server to allow them faster checkout times for all of these transactions. I believe Walmart and a few other large online stores do this. I was planning on doing some sort of encryption of the numbers and do some of the other confusion based security, but I'm just wondering if anyone else has dealt with anything like this. John Burns Certified Advanced ColdFusion MX Developer Wyle Laboratories, Inc. | Web Developer -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:00 AM To: CF-Talk Subject: RE: Credit card storage Les... We've used that same method. Storing half and emailing the other half. I've got comments in my code stating that I'm nervous about this part. :) !//-- andy matthews web developer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Les Mizzell [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 9:43 AM To: CF-Talk Subject: Re: Credit card storage My question is, is there a safe way to do this. I am pretty reluctant to store credit card information I have one client that has insisted on processing their CC order in-house as well. No matter how hard I tried to talk them out of it. What I ended up doing - because I was scared as hell to store a complete number *anywhere*...(and I *know* it's a convoluted mess...) A. First, the entire number is encrypted B. Then 1/2 of it is sent through email to the client along with a false random generated the rest of the number. C. The other 1/2 is stored in the database, along with two additional false fields with random generated encrypted numbers. D. Once they login and retrieve the portion from the database, it's automatically deleted, so nothing stays in the database for over 24 hours. So, I figure if an email is intercepted, and if the encryption is broken, they've only got 1/2 the number at best, and they still have to figure out what half they've got. Same for the database. If anybody breaks in, they'd only get, at best, 24 hours worth of numbers and even if the encryption is broken, they've still got to figure out what fields are real and which ones aren't. This was the best I could figure out at the time this was done. I'm *still* pressuring them to move to a merchant account through their bank for security purposes. I've got a signed disclaimer stating my disapproval of the method being used. Client always knows best, right? Sheesh! -- --- Les Mizzell ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218959 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
While I can appreciate and agree with everything that is being stated about not storing credit cards, the one issue I constantly run into is this: Even though CC's are processed through an Internet merchant account in real time and not stored on a client's database, clients want to be able to access the number so that they can a) issue refunds/credits or b) have recurring billing, such as would occur with a subscription. I just went out and checked Authorize.net's virtual terminal and in the refund/credit mode, the form requires the full cc number and exp date. In this case should the client just store the last 4 digits of the number and not store the exp date at all, then contact the customer when a refund is to be processed (referencing the ending card digits)? In the case of recurring billing, Authorize.net now includes that as part of their offerings. Unfortunately, most clients get the impression that storing CCs is OK, because they do business with Amazon and GoDaddy, and others which keeps their numbers on file (with the user's permission). I'm sure these companies have multiple layers of security. When using recurring billing with cc processors, the cc processors store the cc number and gives you a client numberyou store the client numberwhen you need to charge another payment or make any refunds you can initiate the Tx using the client number the cc processor gave youeasy like pie.no need for having ANY cc number info. Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218960 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
On Thursday 22 September 2005 15:59, Andy Matthews wrote: got comments in my code stating that I'm nervous about this part. Bzzt. In court, that's basically admitting you knew better but did it anyway, i.e. your liable, isn't ti. Better to just get the client to sign something to the effect that you made them aware of the risks, they understand, but wish to do it another way. In fact, that should be a standard 'if you don't take my advice' clause. -- Tom Chiverton Advanced ColdFusion Programmer ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218970 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
When using recurring billing with cc processors, the cc processors store the cc number and gives you a client numberyou store the client numberwhen you need to charge another payment or make any refunds you can initiate the Tx using the client number the cc processor gave youeasy like pie.no need for having ANY cc number info. I wish that were the case with Authorize.net - even though a transaction ID is provided, they still require a cc number with refunds. Whose your processor? I might switch. Thanks, Mark ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218974 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
I wish that were the case with Authorize.net - even though a transaction ID is provided, they still require a cc number with refunds. Whose your processor? I might switch. Thanks, Mark Canadian companywas a year or more agoParaData I believebut others seemed to have the same setup. .and don't get me started again on Authorize.net.8 tech support people incliding 2 managers...none gave me the same answer...none could name the variables sent back after a Tx was processed nor how that data was sent back (i.e. form post or whatjust you get back name/value pairs). gr Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218975 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
Bank of America does recurring billing and you can give refunds from within the merchant control panel without any cc info. Their fees are also mighty low as well. Unfortunately their interface with CF is appalling. I wrote one tag that worked and is in the devex but I'm not sure it still works with their current systems. I think they use encryption now that would require CF7's new encryption options. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com http://mysecretbase.com ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218983 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
For what it's worth...I think Bank of America uses CF for a good part of thier site. They should be able to point you to someone who can help you interface CF with CF. Mark -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 1:01 PM To: CF-Talk Subject: Re: Credit card storage Bank of America does recurring billing and you can give refunds from within the merchant control panel without any cc info. Their fees are also mighty low as well. Unfortunately their interface with CF is appalling. I wrote one tag that worked and is in the devex but I'm not sure it still works with their current systems. I think they use encryption now that would require CF7's new encryption options. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com http://mysecretbase.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218985 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
That's a good idea. Thanks for the info. I'll have to try that. John Burns Certified Advanced ColdFusion MX Developer Wyle Laboratories, Inc. | Web Developer -Original Message- From: Ken Ferguson [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:36 AM To: CF-Talk Subject: Re: Credit card storage I think your best bet is to set the customers' accounts up with your processor as recurring payments on a variable timescale, then you can store just the last 4 digits of their card(s) and their account_id in the processor's system. Then when they want to pay for something you show them a list of their card numbers like: Select from your credit cards on file: 8745 9385 and when you submit the transaction you're just hitting your processor for the recurring account. This way the processor is the one storing the financial data and you are protected from liability... --Ferg Burns, John D wrote: I have a similar situation with a project I'm working on but it would required me breaking some of the suggestions posted. The project I'm working on is a membership site in which members can be doing multiple transactions within a weeks time. We wanted to allow users to have their CC info stored on our server to allow them faster checkout times for all of these transactions. I believe Walmart and a few other large online stores do this. I was planning on doing some sort of encryption of the numbers and do some of the other confusion based security, but I'm just wondering if anyone else has dealt with anything like this. John Burns Certified Advanced ColdFusion MX Developer Wyle Laboratories, Inc. | Web Developer -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:00 AM To: CF-Talk Subject: RE: Credit card storage Les... We've used that same method. Storing half and emailing the other half. I've got comments in my code stating that I'm nervous about this part. :) !//-- andy matthews web developer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Les Mizzell [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 9:43 AM To: CF-Talk Subject: Re: Credit card storage My question is, is there a safe way to do this. I am pretty reluctant to store credit card information I have one client that has insisted on processing their CC order in-house as well. No matter how hard I tried to talk them out of it. What I ended up doing - because I was scared as hell to store a complete number *anywhere*...(and I *know* it's a convoluted mess...) A. First, the entire number is encrypted B. Then 1/2 of it is sent through email to the client along with a false random generated the rest of the number. C. The other 1/2 is stored in the database, along with two additional false fields with random generated encrypted numbers. D. Once they login and retrieve the portion from the database, it's automatically deleted, so nothing stays in the database for over 24 hours. So, I figure if an email is intercepted, and if the encryption is broken, they've only got 1/2 the number at best, and they still have to figure out what half they've got. Same for the database. If anybody breaks in, they'd only get, at best, 24 hours worth of numbers and even if the encryption is broken, they've still got to figure out what fields are real and which ones aren't. This was the best I could figure out at the time this was done. I'm *still* pressuring them to move to a merchant account through their bank for security purposes. I've got a signed disclaimer stating my disapproval of the method being used. Client always knows best, right? Sheesh! -- --- Les Mizzell ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218986 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
Bank of America now uses cybersource (http://cybersource.com) as their processing service. They do not provide any api's or support for coldfusion. I ended up using their php solution and calling it from the command line using cfexecute. Not the cleanest solution but it works. FYI Dave On Sep 22, 2005, at 12:16 PM, Mark Fuqua wrote: For what it's worth...I think Bank of America uses CF for a good part of thier site. They should be able to point you to someone who can help you interface CF with CF. Mark -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 1:01 PM To: CF-Talk Subject: Re: Credit card storage Bank of America does recurring billing and you can give refunds from within the merchant control panel without any cc info. Their fees are also mighty low as well. Unfortunately their interface with CF is appalling. I wrote one tag that worked and is in the devex but I'm not sure it still works with their current systems. I think they use encryption now that would require CF7's new encryption options. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com http://mysecretbase.com ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218993 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
CyberSource has an XML/SOAP based API and a Java API, I'd be surprised if those could not be made to work with CF. --- Ben -Original Message- From: David Livingston [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 2:35 PM To: CF-Talk Subject: Re: Credit card storage Bank of America now uses cybersource (http://cybersource.com) as their processing service. They do not provide any api's or support for coldfusion. I ended up using their php solution and calling it from the command line using cfexecute. Not the cleanest solution but it works. FYI Dave On Sep 22, 2005, at 12:16 PM, Mark Fuqua wrote: For what it's worth...I think Bank of America uses CF for a good part of thier site. They should be able to point you to someone who can help you interface CF with CF. Mark -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 1:01 PM To: CF-Talk Subject: Re: Credit card storage Bank of America does recurring billing and you can give refunds from within the merchant control panel without any cc info. Their fees are also mighty low as well. Unfortunately their interface with CF is appalling. I wrote one tag that worked and is in the devex but I'm not sure it still works with their current systems. I think they use encryption now that would require CF7's new encryption options. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com http://mysecretbase.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218995 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
Ben Forta wrote: CyberSource has an XML/SOAP based API and a Java API, I'd be surprised if those could not be made to work with CF. one of their support folks popped up in the forums w/some detailed instructions to get mx talking to it not too many months ago. a quick search for CyberSource should do the trick. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218996 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
I am pleased to say the client is in favour of using a payment server - yeeha! It just works out so much easier and a hell of a lot safer for all parties involved. Thanks for everyone's words of wisdom on this. mike -Original Message- From: Paul Hastings [mailto:[EMAIL PROTECTED] Sent: Friday, 23 September 2005 7:05 a.m. To: CF-Talk Subject: Re: Credit card storage Ben Forta wrote: CyberSource has an XML/SOAP based API and a Java API, I'd be surprised if those could not be made to work with CF. one of their support folks popped up in the forums w/some detailed instructions to get mx talking to it not too many months ago. a quick search for CyberSource should do the trick. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219003 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
Excellenta little browbeating goes a long way ;-) Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219004 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
I wish that were the case with Authorize.net - even though a transaction ID is provided, they still require a cc number with refunds. Whose your processor? I might switch. Actually, that's not the case. The form does say credit card number but all you really have to provide is the last 4 digits. This is how I do refunds myself on AuthNet, I only store the last 4 digits of the card number and the transaction ID. Mary Jo Sminkey www.cfwebstore.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219005 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
Actually, that's not the case. The form does say credit card number but all you really have to provide is the last 4 digits. This is how I do refunds myself on AuthNet, I only store the last 4 digits of the card number and the transaction ID. Cool! Mark ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219009 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
On 9/22/05, Mark Fuqua [EMAIL PROTECTED] wrote: For what it's worth...I think Bank of America uses CF for a good part of thier site. They should be able to point you to someone who can help you interface CF with CF. You're right they do. But the people who do the merchant support have no connection or contact with the people who build the BofA web site. You can bet I pointed that out a few times. I can't tell you how many people I went thru over there, almost all of which told me how CF was a toy language and why am I not using ASP etc. etc. I wound up moving up the ladder until I finally, actually spoke to their senior developer and he seeme to be the only one with any level of CF knowledge. And even that didn't help. Or at least not all the way. There was stuff like they required the browser to send a referrer, and they expected it to be cgi.http_referrer. Note the extra 'r' in the varname. There were flaws in their docs that had to be worked around once discovered... In the end Dave Watts put the final pieces in place when I was 90% of the way there, completely out of gas and posted here. And now they've redone it to Cybersource... I looked over the docs not so long ago and I don't think I have ever seen a more complex payment gateway interface, ever. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com http://mysecretbase.com ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219011 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
Maybe this should be something that could be included with cf8...gateways that hook up with 20-30 major gateways. Payment gateways and others. Even though this is not really an enhancement to the language, neither is charting or flex functionality or reporting or the gateways they included with 7. Just a thought. Mark -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 4:23 PM To: CF-Talk Subject: Re: Credit card storage On 9/22/05, Mark Fuqua [EMAIL PROTECTED] wrote: For what it's worth...I think Bank of America uses CF for a good part of thier site. They should be able to point you to someone who can help you interface CF with CF. You're right they do. But the people who do the merchant support have no connection or contact with the people who build the BofA web site. You can bet I pointed that out a few times. I can't tell you how many people I went thru over there, almost all of which told me how CF was a toy language and why am I not using ASP etc. etc. I wound up moving up the ladder until I finally, actually spoke to their senior developer and he seeme to be the only one with any level of CF knowledge. And even that didn't help. Or at least not all the way. There was stuff like they required the browser to send a referrer, and they expected it to be cgi.http_referrer. Note the extra 'r' in the varname. There were flaws in their docs that had to be worked around once discovered... In the end Dave Watts put the final pieces in place when I was 90% of the way there, completely out of gas and posted here. And now they've redone it to Cybersource... I looked over the docs not so long ago and I don't think I have ever seen a more complex payment gateway interface, ever. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com http://mysecretbase.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219031 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
Rather than use a dedicated payment server for their online store, they wish for the transaction including credit card to be stored for retrieval. They would then process the transaction manually using EFTPOS. (each store receives orders based on the billing address entered) Well that is illegal for one thing...if the cc companies catch them they will get spanked hard ;-) You MUST have a merchant acount(s) for ONLINE Txsusing the terminal for online sales is a no no Storing CC numbers opens the site up to an expensive security audit from the cc companies and opens the client (and possibly yourself) to some major liability...DO NOT DO IT UNLESS YOU'RE SURE IT'S SAFE!! My question is, is there a safe way to do this. I am pretty reluctant to store credit card information - it would be in an SQL Server db at my webhost. Yes...but see above ;-) HTH Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218907 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
Inadvisable, definitely, but illegal? When did that law get passed? Do you have a link to it? And does it apply to the AU/NZ jurisdiction the poster is in? I know the security audit bit came up in June of this year as a requirement for most businesses (although the reality has been that only a very few of my clients -- a grand total of one -- have actually been audited) but I have yet to hear of a law passed that bans cc number storage by a web merchant. http://developer.perthweb.com has a very strong public/private key RSA encryption system that is very likely to satisfy your encryption needs insofar as the sensitive info is concerned. Its US$39 per domain so thats reasonable in the extreme. You'll have to make sure that the customer does their job with respect to pasting in the private key to retrieve their cc info, and that key should be subject to rigorous procedural and personnel controls in the brick/mortar store. If you go and put both keys on the server then the exercise is basically worthless. But do it right and you can make the best of a bad idea. Part of doing it right is employee training. Stuff like 'delete the order off the web site as soon as you retrieve it' and forcing any view of data to be done visually over SSL. No downloads unless you do something like secure FTP with an encrypted password string... the latter being easier said than done unless you can specify the ftp server and ftp client. If this is a company that is big enough to have branch offices then they should also be big enough to spend the relatively small dollars for a merchant connection. Cheapskates? -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com http://mysecretbase.com ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218908 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Credit card storage
If this is a company that is big enough to have branch offices then they should also be big enough to spend the relatively small dollars for a merchant connection. Cheapskates? Shuush... They might hear you!! Haha Every job I do for this client is nailed down to the last cent (I think I might have missed an email about the illegal bit ??) mike -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 September 2005 12:52 p.m. To: CF-Talk Subject: Re: Credit card storage Inadvisable, definitely, but illegal? When did that law get passed? Do you have a link to it? And does it apply to the AU/NZ jurisdiction the poster is in? I know the security audit bit came up in June of this year as a requirement for most businesses (although the reality has been that only a very few of my clients -- a grand total of one -- have actually been audited) but I have yet to hear of a law passed that bans cc number storage by a web merchant. http://developer.perthweb.com has a very strong public/private key RSA encryption system that is very likely to satisfy your encryption needs insofar as the sensitive info is concerned. Its US$39 per domain so thats reasonable in the extreme. You'll have to make sure that the customer does their job with respect to pasting in the private key to retrieve their cc info, and that key should be subject to rigorous procedural and personnel controls in the brick/mortar store. If you go and put both keys on the server then the exercise is basically worthless. But do it right and you can make the best of a bad idea. Part of doing it right is employee training. Stuff like 'delete the order off the web site as soon as you retrieve it' and forcing any view of data to be done visually over SSL. No downloads unless you do something like secure FTP with an encrypted password string... the latter being easier said than done unless you can specify the ftp server and ftp client. If this is a company that is big enough to have branch offices then they should also be big enough to spend the relatively small dollars for a merchant connection. Cheapskates? -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com http://mysecretbase.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218909 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
thanks bryan, i am tending to think that the only option IS to go with a payment server. m. Rather than use a dedicated payment server for their online store, they wish for the transaction including credit card to be stored for retrieval. They would then process the transaction manually using EFTPOS. (each store receives orders based on the billing address entered) Well that is illegal for one thing...if the cc companies catch them they will get spanked hard ;-) You MUST have a merchant acount(s) for ONLINE Txsusing the terminal for online sales is a no no Storing CC numbers opens the site up to an expensive security audit from the cc companies and opens the client (and possibly yourself) to some major liability...DO NOT DO IT UNLESS YOU'RE SURE IT'S SAFE!! My question is, is there a safe way to do this. I am pretty reluctant to store credit card information - it would be in an SQL Server db at my webhost. Yes...but see above ;-) HTH Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218911 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Credit card storage
I agree with Matt, it's not illegal. It does violate SOME credit card companies policies regarding the proper handling of credit card data. The one exception to the rule is if you encrypt the data when you store it. Don't use a one way hash, you need to use a strong encryption algorithm. Something like blowfish. The only real risk is if you are in a shared hosting environment someone can hack you site in minutes and find the decryption module and suck your database dry. If you are on a shared server I would not store credit card information in your database. There is NO WAY TO PROTECT YOUR DATA. I can't stress this point enough. If I have a website on the same server as you, it would take me a matter of minutes to completely hack your app and database. =] If you are on your own box and you can protect it throughly it would be OK to store the CC info, but I would still advise against it. On 9/21/05, Mike Little [EMAIL PROTECTED] wrote: thanks bryan, i am tending to think that the only option IS to go with a payment server. m. Rather than use a dedicated payment server for their online store, they wish for the transaction including credit card to be stored for retrieval. They would then process the transaction manually using EFTPOS. (each store receives orders based on the billing address entered) Well that is illegal for one thing...if the cc companies catch them they will get spanked hard ;-) You MUST have a merchant acount(s) for ONLINE Txsusing the terminal for online sales is a no no Storing CC numbers opens the site up to an expensive security audit from the cc companies and opens the client (and possibly yourself) to some major liability...DO NOT DO IT UNLESS YOU'RE SURE IT'S SAFE!! My question is, is there a safe way to do this. I am pretty reluctant to store credit card information - it would be in an SQL Server db at my webhost. Yes...but see above ;-) HTH Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com http://www.electricedgesystems.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218915 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
