Re: Ofbiz and saved credit card info - high risk factor - must be a better way

Wed, 31 Oct 2007 00:25:22 -0800
This is totally up to the business running OFBiz. Obviously different businesses have different policies. 


It wouldn't be too hard to change the ecommerce and order processing  
stuff to either not save CC info to the database at all, or to just  
remove the information after the initial authorization is complete.



I don't think you can do a re-auth without the CC info, that is  
usually considered a separate transaction anyway. Of course, if you  
ship things quickly and either rarely or never take backorders, then  
it shouldn't be needed.



All by company policy... there are endless combinations of these  
options and some are available through configuration options and some  
require small code changes, or add-in code or whatever.



OFBiz doesn't enforce or require any policy, but default settings are  
basically meant to represent the most common requirements we see, aka  
"best practices".


-David


On Oct 31, 2007, at 2:03 AM, Philip Laing wrote:




Yes I have to agree Philip ... This is not only a very high risk  
because it
encourages hackers to break in  to obtain this valuable information  
and in

my opinion it is only asking for trouble.

Looking at the business process of re-authorizing the card in case of
refunding the customer. I am confident there is a way of covering

're-authorise the card' rather than storing credit card details. Or  
at least
giving the shop owner a way of stopping storing credit card details  
as I

know I and many other will not use this feature because of the obvious
dangers involved.

Thanks

Phil


-----Original Message-----
From: Jacques Le Roux [mailto:[EMAIL PROTECTED]
Sent: Monday, 22 October 2007 5:58 PM
To: user@ofbiz.apache.org
Subject: Re: Ofbiz and saved credit card info

De : "Phillip Rhodes" <[EMAIL PROTECTED]>



Hi everyone,


It appears that ofbiz is saving credit card information.  While  
there is

sometimes a business need to do this, very often, there

is not.  For example, with cybersource and verisign, all you need  
to store

is the authorization code.  With the authorization code,

you can perform settlements, and returns.  Of course, there could  
be an

back-office process that runs credit cards, so it would be
necessary in that case.



I am bringing this issue up because holding this information is a  
risk.

It would be nice if ofbiz could provide a means by which

organizations would be able to opt out of having credit card  
information

stored for their customers.


This is an interesting idea, but you should also consider that if  
for any

reasons you need to re-authorise the card you will not be

able  to (there are some cases you will need to do that : amount  
change -

not able to deliver all -, etc.)


YMMV suiving your payments provider (though I guess an auth is not  
a re-

auth everywhere in the world)

Jacques







Attachment:
smime.p7s

Description: S/MIME cryptographic signature






















					Reply via email to