[BLUG] accepting credit card #s from a web form
Mark Krenz
blug_at_mailman.cs.indiana.edu
Sun, 25 Feb 2007 22:28:00 +0000
Man, and I just bought a PCI express video card. Now there is PCI DSS?
Oh wait...
On Sun, Feb 25, 2007 at 10:21:40PM GMT, Gaddis, Jeremy L. [jlgaddis_at_ivytech.edu] said the following:
> Just keep in mind the things that PCI DSS says you can't do, such as
> transmit cardholder unencrypted, email it, or store the complete number
> (unencrypted)...
>
> --
> Jeremy L. Gaddis
> Network Administrator
> 812.330.6156 (w) 812.391.0358 (m)
>
> Sent from my BlackBerry® wireless handheld
>
>
> ----- Original Message -----
> From: blug-admin_at_cs.indiana.edu <blug-admin_at_cs.indiana.edu>
> To: blug_at_cs.indiana.edu <blug_at_cs.indiana.edu>
> Sent: Sun Feb 25 15:46:18 2007
> Subject: Re: [BLUG] accepting credit card #s from a web form
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> (this response is for Jeremy Gaddis too),
>
> Most of my customers use PayPal, and we may end up just going with
> PayPal for this client too. However, he does have a manual card swipe
> machine, and these particular transactions don't have to be real-time
> (registration fees for an upcoming class). Therefore, if there is
> anyway to take credit card numbers securely, this would likely be an
> attractive option to the client, so I thought I'd at least research
> this option.
>
> He will have an email account on the same machine, so I've thought
> about doing PGP encryption, or even just dropping in the email into
> his mailbox as is since it will never leave the server. I've also
> thought about writing to a database, and writing to a flat file. None
> of these sound foolproof, but maybe a combination of technologies
> might work?
>
>
> On Feb 25, 2007, at 3:32 PM, David Ernst wrote:
>
> > Not a true answer to your question, but on the subject:
> >
> > I recommend that you at least consider outsourcing this. Paypal and
> > many others make it very easy to accept credit cards over the web, you
> > don't need your own merchant account, their rates are competitive,
> > they focus on security so they ought to be better at it than us
> > average hackers, and if nothing else, if they blow it, they get sued
> > for mishandling the credit card numbers instead of you. For these
> > reasons, I've never done it myself, I've always outsourced it.
> >
> > Of course, there are many reasons that you might not want to do that,
> > and if so, this message doesn't really apply... if so, I respectfully
> > request that you respectfull ignore it. :)
> >
> > Best of luck,
> >
> > David
> >
> >
> > On Sun, Feb 25, 2007 at 12:46:18PM -0500, Joe Auty wrote:
> >> Hey Guys,
> >>
> >> Any suggestions on some decently secure ways to do this? Seems like
> >> one hurdle is in the web server having to write to a file/database/
> >> email where the number will be saved, at least temporarily, so it
> >> seems like a bit of a challenge to make a sort of secure bridge
> >> here...
> >>
> >>
> >> Just thought I'd see if you guys have any creative ideas? Just
> >> mulling over some ideas myself...
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> -----------
> >> Joe Auty
> >> NetMusician: web publishing software for musicians
> >> http://www.netmusician.org
> >> joe_at_netmusician.org
> >>
> >>
> >
> > --
> > yes, this is a new email address. The old one still works, but it'd
> > be great if you switched your addressbook entry to
> >
> > david.ernst_at_davidernst.net
> > _______________________________________________
> > BLUG mailing list
> > BLUG_at_linuxfan.com
> > http://mailman.cs.indiana.edu/mailman/listinfo/blug
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (Darwin)
>
> iD8DBQFF4fWbCgdfeCwsL5ERAqSZAKCHcYaaxBW6yZB6XEEvnbgSPeUkJgCfWaJ1
> 9GumQ23ALniy/DEu+djV/ec=
> =Zj4A
> -----END PGP SIGNATURE-----
> _______________________________________________
> BLUG mailing list
> BLUG_at_linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
--
Mark Krenz
Bloomington Linux Users Group
http://www.bloomingtonlinux.org/