Reply to Re: [PHP] Storing CCN's Again...

Your name:

Reply:


Posted by trlists on 02/08/05 05:25

On 7 Feb 2005 Jochem Maas wrote:

> > IE, is their a way to get PHP to overwrite the memory
> > used by variables at the termination of a script?
>
> don't know about that but.... best not to accept the CCNs in the
> first place. let the user enter it at authorize.net.

I think this is an extraordinary (and unjustified) level of paranoia.

The memory issue is moot on a dedicated server, and probably on a
shared server as well. On a dedicated server if you can't control the
access well enough to prevent unauthorized people from running programs
to go poking through memory, you've got bigger problems to solve. On
either kind of server the chances of finding a card number are remote
to start with, and even if found it is likely to come with no
associated address or cardholder information.

Also there are far easier ways to get CC numbers than to hope one will
be left lying around in memory. For one thing, a crook can generate CC
numbers very easily -- the check-digit algorithm is published, and the
bank ID numbers at the start I think are readily available as well. Of
course many of those generated will be wrong, but there have to be
enough right ones that a generated number is far easier for them to get
than a number left lying around in memory.

As for not accepting them on your own web page at all, I don't think
commercial enterprises are obligated to go to a level of security that
is that far beyond the norm, and it manifestly does not work in many
site designs where the provider's page simply is not adequate or
appropriate. The basic approach of using SSL from client to server and
again from server to CC processor, and then not storing the full
number, should be plenty good enough, and is for tens of thousands of
commercial web sites. I have never heard of any signifcant problem
with card numbers being stolen from sites operating this way, nor of
any liability assigned by the CC companies to people following these
(clearly industry standard) practices.

--
Tom

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация