You are here: RE: [PHP] Credit card storing, for processing « PHP « IT news, forums, messages
RE: [PHP] Credit card storing, for processing

Posted by Richard Lynch on 10/04/17 11:07

Brandon Thompson wrote:
> Wow....I was hoping someone would respond with a little balance to that
> reactionary doomsday speech. Don't get me wrong...those are some very
> valid
> points that need to be considered, but my gosh...

I'd rather frighten away somebody from storing CCs insecurely than
blithely stand by while they risk a small fortune and the [client's]
customers for all time.

> The key-pair idea is very good. I've done systems in the past for clients
> that work in a similar fashion.

Why?

What reason is there for doing this instead of just letting the credit
card vendor store the credit card numbers and setting up a recurring
charge?

Convince me it's a valid reason, and I'll talk welcome more discussion
about how to do it securely. Otherwise, I remain the doom-sayer: DON'T
DO IT

> There are multiple layers of security with two main aspects:
> 1. The technical implemenation and complexity of the system
> 2. The responsibility/priveledges granted to users/admins
>
> You can come up with the most complex, technical "secret key" solution
> around (aspect #1)....but if you entrust that secret key to the wrong
> person
> (aspect #2), it's all for nothing.

NO!

It's not about who you trust: It's about who can BREAK IN and gain access
to the trusted user/admin area.

Or the physical devices and bypass your security completely.

I trusted my client completely and implicitly.

I did NOT trust every single employee, customer, or visitor who could
wander into his office, co-location space, etc.

If you do *NOT* have documented processes in place for how you will keep
out the Bad Guys to every link of the processing chain, software and
hardware, where the credit card number will exist, however briefly, then
you have no business storing credit card numbers.

> In the end...it's about common sense. It's FAR less dangerous to
> implement
> what you are suggesting than it is to simply pay for your dinner with a
> credit card.

Which is FAR less dangerous than Christmas shopping with a credit card.

That doesn't make it safe.

Playing with M-80s is FAR less dangerous than playing with dynamite, which
is FAR less dangerous than playing with nitroglycerine.

NONE of them are "safe" and if you don't follow established procedures and
policies, it's just plain stupid to do it.

> One thing I agree with Richard wholeheartedly on is his "Hi, I'm about to
> perform brain surgery. Which scalpel should I use?" anology. If the
> technicaly aspects of implementing a system like this escape you...then
> please learn how to do it in theory first. Don't "learn on the job" with
> something as precious as your credit rating.

It was clear, to me at least, that the original poster did NOT have a good
grasp on some rather large issues.

More importantly, NOTHING posted indicated a true need to store credit
card numbers.

So, to simplify:
If you don't NEED to store credit card numbers, if you can find ANY way to
*NOT* store credit card numbers, then you will save a TON of money by not
storing them, because storing them comes with a very very very large price
tag in development, maintenance, auditing, and ongoing physical security
of all hardware involved.

If you absolutely HAVE to store credit card numbers, be prepared to shell
out tens of thousands on an annual basis to keep them safe. If that's too
expensive, then you're not ready to store credit card numbers.

--
Like Music?
http://l-i-e.com/artists.htm

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация