Securing a web site, SSL, etc...

Discussion in 'OT Technology' started by sonicyouth, Oct 7, 2003.

  1. sonicyouth

    sonicyouth Guest

    Ok bear with me here since I don't know much (if anything) about SSL. I have a friend that will be accepting credit card information through a perl script and then to his e-mail so he needs to secure only one page (as far as I know). I am wondering if there is any alternative to this besides paying money each year to verisign or geotrust to secure a server.

    Simply put, what are the different options?
     
  2. Astro

    Astro Code Monkey

    Joined:
    Mar 18, 2000
    Messages:
    2,047
    Likes Received:
    0
    Location:
    Cleveland Ohio
    NO NO NO NO email - DO NOT - I REPEAT DO NOT

    DO NOT EMAIL THE CREDIT CARD NUMBERS! Ever. Don't even think of it.

    If you must email the credit card number then you're doing something wrong. Period. Unless you truely, completely, have a full and complete understanding of email encryption, decryption, and public/private keys.

    Email IS NOT secure. Encrypting the email is a start, but I'm going to say thats still too risky (especially since it sounds like you two do not have a full grasp of web security - which is ok, but it means email is out).

    SSL is needed to encrypt the credit card number and the purchase information as it leaves the the customer's browser and makes it to your server and to encrypt the transaction data as it leaves your server to go to a dedicated payment service (typically called payment gateways). Even this is not totally secure, but its about the best you can do.

    Once your server has it, it should initiate the credit card processing (aka: automated process). Can't afford to do this? Then you can't afford to have ticked off customers because their numbers got out due to lack of security.

    I consider this the best practice:

    Customer
    |
    V
    SSL -> transmit transaction data
    |
    V
    Your web site
    |
    V
    code performs mod10 CC card number check and simple CC card number to CC card type match - if no match, present error to user. If passes ok, then move on to next step.
    |
    V
    SSL -> transmit to 3rd party payment authorization gateway
    |
    V
    Wait for response (usually 5-30 seconds)
    |
    V
    Record transaction. Send receipt to customer (email & on screen ideal)
    ** Note: record transaction means record the amount and the STATUS of the transaction. Do not record the credit card number. And if you must record it, record the last 4 digits and thats IT. Period. This means if someone hacks the database or text file or whatever, there won't be any credit card numbers for them to get. Plain and simple. (See why email won't work?)

    Online CC processing requires an Internet flavored merchant account. Your friend may have a sales counter flavored merchant account or an over-the-phone (or "not in person") merchant account. If they have the 2nd flavor, then getting an Internet flavored one will not be too difficult.

    Credit card processing is a serious business. I take it very personally and treat ANY transaction as if it was with my own card number. Please, do the same with this site. All I can say is you can't afford to do it wrong. Hire someone to help you, go PayPal (or some flavor of), or require folks to place the order but either call them back for the card number or have them call you.
     

Share This Page