Page 1 of 1

Credit Card

Posted: Sat Oct 21, 2006 7:55 am
by spartan7
How safe is it to have credit card details emailed in a form and then processed manually ?

Posted: Sat Oct 21, 2006 8:03 am
by feyd
Not very safe, nor is storing the information on your own servers. Third party processors are generally the safest, as it shifts the liability to them.

Re: Credit Card

Posted: Sat Oct 21, 2006 1:40 pm
by Christopher
spartan7 wrote:How safe is it to have credit card details emailed in a form and then processed manually ?
I would guess that it is probably illegal in most places to do that or would also probably be in violation of the credit card's rules.

Posted: Sat Oct 21, 2006 2:03 pm
by Buddha443556
Might want to look into Visa's Cardholder Information Security Program (CISP) or Mastercard's Site Data Protection program (SDP) which are both based on CPI Data Security Standards. You should find a lot of Do's and Don'ts.

Posted: Sat Oct 21, 2006 2:24 pm
by Christopher
You could use something like PGP to encode the emails...

Posted: Mon Oct 23, 2006 8:55 pm
by akimm
Ok, maybe I don't know what I'm talking about, but I can say a few things I think are helpful :-)

1) use POST not GET in any instance of important info exchange.
2) if you use sendmail or mail() there are many problems, use something like swiftmailer.
3) this is where I speculate, bare with me, but why not use serialize() so the data not *normally* human readable, ( I use astrisks on normally, because I wonder if a few geniuses on this site can read bianary hehe).

I hope this was helpful.

Posted: Mon Oct 23, 2006 11:04 pm
by John Cartwright
akimm wrote:1) use POST not GET in any instance of important info exchange.
This is what we call security through obscurity, which infact is not security at all. POST content can be sniffed just as easily at GET content.
akimm wrote:3) this is where I speculate, bare with me, but why not use serialize() so the data not *normally* human readable, ( I use astrisks on normally, because I wonder if a few geniuses on this site can read bianary hehe).
Once again, a simple unserialize will retrieve the original data. Not safe.

Posted: Mon Oct 23, 2006 11:11 pm
by akimm
Since you seem to have a much clearer grasp, do the programmer a favor and tell him or suggest at least what to do. I gave my most earnest attempt.

Posted: Mon Oct 23, 2006 11:14 pm
by John Cartwright
I thought it was already pretty clear that the question was answered.

Posted: Mon Oct 23, 2006 11:23 pm
by akimm
i didn't realize that, (that wasn't to call you out), I just felt as if since I gave wrong info, I'd like to see the proper info provided, I hate doing wrong for people.

to me, it just seemed unanswered still. Excuse me if I offended.

Posted: Tue Oct 24, 2006 3:08 am
by Maugrim_The_Reaper
I don't see any uncertainty - sending a CC number by email is simply not done. So don't do it. If someone wants your credit card number for a regular service payment they should have a self or 3rd party service under SSL - not email. If it's a once off payment between parties you should consider exchanging payment through Paypal.