I want to encrypt billing information an ecommerce app. I know the argument
against storing it, and we are considering not storing it. But I just want
to explore options.
So I can encrypt in cf with aes, or in sql server with a certificate and
triple des symmetric key, or both cf AND sql
On Thu, Feb 18, 2010 at 7:26 PM, Eric Nicholas Sweeney
n...@bigfatdesigns.com wrote:
To me, recommending a service is like answering the question How do you
hammer a nail? with the answer being Hire a contractor.
It's more like saying I plan on building an entire house, and then I
plan to
On Thu, Feb 18, 2010 at 5:44 PM, Matthew Smith chedders...@gmail.comwrote:
I want to encrypt billing information an ecommerce app. I know the
argument
against storing it, and we are considering not storing it. But I just want
to explore options.
So I can encrypt in cf with aes, or in
On Thu, Feb 18, 2010 at 9:58 PM, Eric Nicholas Sweeney
n...@bigfatdesigns.com wrote:
Someone mentions CC's or SSN's and everyone freaks out and tells you to call
their lawyer. Well - ok - that's all fine and dandy - point taken - let's
move on - that kind of talk doesn't really address the
Actually Juda - I was very appreciative of your time and have been examining
and researching some of the methods you discuss. I'm sorry you feel
otherwise. Your was the first answer that actually got into some of the nuts
and bolts... That is why I specifically asked about how the public/private
I'm not trying to get around HIPAA, PCI or Sarbane-Oxley - or anything else.
I am trying to explore how I may use their standards to develop something to
fit within their guidelines. I was wondering what it would actually take to
do that. Preferably without a 3rd party...
I thought perhaps
However, I do not feel walk away from the client is necessarily the right
answer here or very constructive. I mean - cripes - can't we just explore it
from an academic perspective?? What if I want to store something else as
securely as credit card data. Like a cookie recipe.
Then you should
What is required for PCI compliance?
Short answer, if you're storing it, obtaining PCI compliance is nearly
impossible*
*Impossible: SO fraggin expensive and complicated it's not worth doing.
My 2cents on encryption:
I'd use CF and a complex rotating schema of keys. If you use the SQL server
I second the comments about not storing it unless absolutely required.
You are just buying headaches.
For PCI, go forth and read: https://www.pcisecuritystandards.org/index.shtml
On Thu, Feb 18, 2010 at 2:44 PM, Matthew Smith chedders...@gmail.com wrote:
I want to encrypt billing information
When would an ecommerce site be required to get PCI certified? At what
volume of transactions?
On Thu, Feb 18, 2010 at 5:25 PM, Maureen mamamaur...@gmail.com wrote:
I second the comments about not storing it unless absolutely required.
You are just buying headaches.
For PCI, go forth and
I want to encrypt billing information an ecommerce app. I know the argument
against storing it, and we are considering not storing it. But I just want
to explore options.
So I can encrypt in cf with aes, or in sql server with a certificate and
triple des symmetric key, or both cf AND sql
Also, if I encrypt in sql server with a certificate and key, if I back up
the live server and restore locally, will the data be accessible? Are the
certificates and keys movable?
I haven't actually done this with SQL Server. I would, however, be
extremely surprised if this isn't portable,
Don't store it.
You can save some money and check each transaction manually by using e-Path
instead of a traditional gateway:
http://www.e-path.com.au/
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
On 19 February 2010 06:44, Matthew Smith
I run into this problem/question as well - for small companies/storefronts
who want to offer online purchasing or bill pay...
From their business perspective it doesn't make sense to purchase an
online payment gateway. The reasons vary - but usually it is because of
extremely low volume and/or
There are many methods for small online businesses to accept credit
cards without storing the data on their servers - paypal, google
payments, authorizenet, etc...and the cost per transaction is not
going to be any more than it would be if they used their own Merchant
processor manually, and in
I concur with Maureen, look at Google and Paypal. The key there is
that you send the user off to Google's site and the CC info is entered
there, not on your client's site, so you don't even have to worry
about SSL on the client site, let alone PCI compliance.
Years and years ago, I did do an
Ok, I'm convinced, we shouldn't store it.
So what's the best way to carry it to the final order commitment step?
Session variables?
On Thu, Feb 18, 2010 at 6:07 PM, Maureen mamamaur...@gmail.com wrote:
There are many methods for small online businesses to accept credit
cards without
When would an ecommerce site be required to get PCI certified? At what
volume of transactions?
My understanding is that you must comply with PCI-DSS if you handle a
single transaction. I don't know if certification is ever required,
but you may well be liable if you're not certified and you
Yes Maureen - I know this. What we are asking is - What if the customer
DOESN'T WANT TO USE THOSE - What if they want you to store the credit card
anyway... regardless of compliance. (Compliance isn't law...) What if that
is your option?
What then? How should you do it?
Matt's original
On Thu, Feb 18, 2010 at 4:26 PM, Eric Nicholas Sweeney
n...@bigfatdesigns.com wrote:
To me, recommending a service is like answering the question How do you
hammer a nail? with the answer being Hire a contractor.
In this case, the answer is hire a lawyer because you will be
dragged in to any
To me, recommending a service is like answering the question How do you
hammer a nail? with the answer being Hire a contractor.
Well...not exactly. There aren't huge legal ramifications if you decide to
hammer the nail yourself.
In this case hire a contractor is the right answer.
So what's the best way to carry it to the final order commitment step?
Session variables?
Best case scenario, it IS the final order step. That way it is never stored
in a persistent scope. Most eCommerce sites seem to do it that way (there
are exceptions of course).
-- Josh
Yes Maureen - I know this. What we are asking is - What if the customer
DOESN'T WANT TO USE THOSE - What if they want you to store the credit card
anyway... regardless of compliance. (Compliance isn't law...) What if that
is your option?
What then? How should you do it?
Sometimes the best
Dave,
You win my weekly erudition award :)
-Mark
Mark A. Kruger, MCSE, CFG
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: Thursday, February 18, 2010 6:41 PM
To: cf-talk
Subject:
You win my weekly erudition award :)
Is there a cash prize attached?
I've been involved with quite a few lawsuits lately, as an expert
witness. People get sued for the darndest things. If a development
client asked me to build persistent storage of CC info, I'd require
complete indemnification
The e_Path provider I linked earlier caters for specifically this kind of
situation.
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
On 19 February 2010 07:57, Eric Nicholas Sweeney n...@bigfatdesigns.comwrote:
From their business perspective it doesn't make
Ok, so, obviously there a ton of issues involved.
I don't think we could hand off the payment to paypal because some of the
stuff they are selling is unique. The final order step involves
transactional locking and I can't hold up the process and wait for them to
come back to our site.
We have
Then the client is an idiot, and you are taking a grave risk in
allowing them to proceed. P
Please let us know who is it so we don't use their web site and expose
our credit card numbers to potential hackers.
Not long ago I had a project with a large government agency who wanted
to store all
Agreed. The question has come up from the OP on how to deal with the CC
if you never have it in persistent scope, and the answer is simply that
capturing the CC number (and IPV code etc) should only ever be the final
step. In other words:
* build the cart: in session or DB, your preference
I understand the legal ramifications very well - very well versed in it all
- I use to design Internet Banking Apps (GUI - not backend) and I am a
reseller of Authorize.net... It's in my best interest to use them and I push
them continually. I get all your points and agree 100%. I understand it's
30 matches
Mail list logo
