[nycphp-talk] Mom and Pop CC Security
Kevin Regan
kr7178 at albany.edu
Mon Jul 22 13:53:53 EDT 2002
This is a tad complex, but security and efficiency are always an inverse
relationship.
I don't believe in storing the entire credit card number anywhere. If
this is a mom and
pop shop, then maybe all the transactions will be done at the end of the
day of possibly
bi-daily. I'd set up a routine where the CC# is stored and displayed
with the last 4 numbers missing.
A file with the last 4 numbers and the transaction number is kept
somewhere else, on the
same server if need be. The file could then be printed out. By using the
transaction number
the store owner would know the full CC# without it ever being displayed
on the screen.
Not the most secure method, but add encryption, algorithms to determine
the transaction number,
etc., and this can be much more secure. Otherwise, trojans can easily be
used to steal dozens
of CCs.
Kevin Regan
On Monday, July 22, 2002, at 01:35 PM, Jim Musil wrote:
>
> Hi all,
>
> Let's say a user fills in his/her credit card number into a web form and
> then submits the form via
> to a secure server.
>
> The user's order and credit card info are stored in a mySQL database.
>
> Then, the owner of the site goes to a dynamic page which also lives on
> the
> same secure server. This page lists all the orders and the credit card
> numbers.
>
> The owner then processes the credit card order by hand in hes/her shop
> and
> deletes and marks the order as processed.
>
> What security holes exist in this scenario?
>
> Jim Musil
>
>
More information about the talk
mailing list