|
Posted by Richard Lynch on 04/19/05 06:51
On Thu, April 14, 2005 1:57 pm, trlists@clayst.com said:
> On 14 Apr 2005 Chris Shiflett wrote:
>
>> When a user enters a credit card number, there may likely be a
>> verification step before the actual purchase is made. It's better to
>> keep this number on the server (in the session data store) than to
>> unnecessarily expose it over the Internet again (SSL mitigates the risk,
>> but an unnecessary risk is still worth avoiding).
Hmmm.
Seems to *me* that transmitting the CC# via SSL is more secure than
$_SESSION data on a shared server.
I guess on a dedicated server, it's a question of whether you trust your
own box to not have any sneak users on it, versus SSL-sniffing and
decrypting, and I'd *still* have to guess that SSL-sniffing/decrypting is
less common than hacked servers. [shrug] But if Chris says I'm wrong, I
must be wrong on that one.
Frankly, if their CC# failed the validation check, I'd personally just
tell them they typed it wrong, and give them a blank box again.
They'll be too tempted to just try it again without looking at the numbers
if you give it to them all filled in.
You don't think they actually READ those error messages, do you? :-)
If the client paying the bills won't accept that the empty box is "right",
and you can't educate them out of their opinion, I guess you're stuck
shuttling the CC# back and forth over SSL.
> Re last four digits, I have notice that many sites seem to be going to
> showing the last five or six, first four plus last four, etc.
> Apparently people are finding that last four alone isn't sufficient for
> users to recognize the card.
As I understand it...
The first four digits, in almost all instances, matches the BANK
(card-issuer).
Each BANK has, like, one or more ####-....-....-....-.... "series" and
they exlusively control the cards within #### range.
So if somebody uses, say, BankOne for both business and personal, the
first four digits are pretty much guaranteed to be not all that useful to
them.
The odds on any given user having the same last four digits are pretty
narrow.
I suspect that in some cases, the choice of what to display is what comes
back from the Merchant Account Server -- Just display whatever they think
is kosher to send back to you. Seems like a reasonable action to me.
After all, they are the ones actually storing/processing the cards, and
they ought to be the ones who know what they are doing.
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|