Credit card details submit considerations
Moderator: General Moderators
- aceconcepts
- DevNet Resident
- Posts: 1424
- Joined: Mon Feb 06, 2006 11:26 am
- Location: London
Credit card details submit considerations
Hi,
I want visitors to my site to be able to pay for registration to events.
What security risks should I take into consideration when developing such a feature and what would be the best form defence against these risks?
Please not: I am not asking for in-depth answers, I'm simply trying to understand where the important risks lie.
Thanks.
I want visitors to my site to be able to pay for registration to events.
What security risks should I take into consideration when developing such a feature and what would be the best form defence against these risks?
Please not: I am not asking for in-depth answers, I'm simply trying to understand where the important risks lie.
Thanks.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Credit card details submit considerations
The risks generally far outweigh the benefits, considering you can easily outsource the transaction aspect of your website to a 3rd party (paypal, epassporte, etc).aceconcepts wrote:what would be the best form defence against these risks?
- aceconcepts
- DevNet Resident
- Posts: 1424
- Joined: Mon Feb 06, 2006 11:26 am
- Location: London
I am pretty sure you can be fined and lose your ability to process credit card transactions with visa if you dont adhere to these standards
https://www.pcisecuritystandards.org/
Here is a little more info from VeriSign
Payment Card Industry Compliance
The Payment Card Industry (PCI) Data Security Standard was created by major credit card companies to safeguard customer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers meet certain minimum
standards of security when they store, process and transmit cardholder data.
http://www.verisign.com/verisign-busine ... index.html
https://www.pcisecuritystandards.org/
Here is a little more info from VeriSign
Payment Card Industry Compliance
The Payment Card Industry (PCI) Data Security Standard was created by major credit card companies to safeguard customer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers meet certain minimum
standards of security when they store, process and transmit cardholder data.
http://www.verisign.com/verisign-busine ... index.html
In terms of developing the app:
SQL injection attacks to retrieve stored information
user/admin login attacks to view personal/private information
SQL user/admin login attacks to gain access to stored information
SQL/web server login attacks (minimalized via webhost [usually])
stream intercepts, requires use of SSL which costs money
There are probably more, these are just some of the main ones that I can think of right now.
Yes you are doing the transaction manually, but that part is moot if you look at the risks involved in merely retrieving and storing the CC information, let alone the actual processing of payment.
SQL injection attacks to retrieve stored information
user/admin login attacks to view personal/private information
SQL user/admin login attacks to gain access to stored information
SQL/web server login attacks (minimalized via webhost [usually])
stream intercepts, requires use of SSL which costs money
There are probably more, these are just some of the main ones that I can think of right now.
Yes you are doing the transaction manually, but that part is moot if you look at the risks involved in merely retrieving and storing the CC information, let alone the actual processing of payment.
- aceconcepts
- DevNet Resident
- Posts: 1424
- Joined: Mon Feb 06, 2006 11:26 am
- Location: London
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
I find it rather easy. "Do you want the liability and cost of liability insurance to store, in any form, for any amount of time, sensitive financial information such as credit cards?" They often answer "no" quickly.aceconcepts wrote:I agree 100% that this issue should be out-sourced to a thrid party. It's trying to convince "non-techy" people who are set in their ways that is hardest!!!