Credit card details submit considerations

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Credit card details submit considerations

Post by aceconcepts »

Hi,

I want visitors to my site to be able to pay for registration to events.

What security risks should I take into consideration when developing such a feature and what would be the best form defence against these risks?

Please not: I am not asking for in-depth answers, I'm simply trying to understand where the important risks lie.

Thanks.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Credit card details submit considerations

Post by John Cartwright »

aceconcepts wrote:what would be the best form defence against these risks?
The risks generally far outweigh the benefits, considering you can easily outsource the transaction aspect of your website to a 3rd party (paypal, epassporte, etc).
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Post by aceconcepts »

This is true, but we will not be processing the card details online. They will be downloaded and manually processed.

I know what you thinking...but this not my idea. I'm simply the builder and thats it.

So any thoughts would be appreciated.

Thanks.
User avatar
phpdevuk
Forum Contributor
Posts: 220
Joined: Mon Jul 04, 2005 5:31 am
Location: UK
Contact:

Post by phpdevuk »

I believe here in the UK there are legal reason why you can't hold credit card details online, I think alot of the banks won't work with you either if you do, one place I worked looked into developing a system to hold details encrypted with various security checks in place.
User avatar
boo
Forum Commoner
Posts: 42
Joined: Mon Jul 02, 2007 11:30 am
Location: NY

Post by boo »

I am pretty sure you can be fined and lose your ability to process credit card transactions with visa if you dont adhere to these standards

https://www.pcisecuritystandards.org/

Here is a little more info from VeriSign
Payment Card Industry Compliance
The Payment Card Industry (PCI) Data Security Standard was created by major credit card companies to safeguard customer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers meet certain minimum
standards of security when they store, process and transmit cardholder data.

http://www.verisign.com/verisign-busine ... index.html
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Post by TheMoose »

In terms of developing the app:

SQL injection attacks to retrieve stored information
user/admin login attacks to view personal/private information
SQL user/admin login attacks to gain access to stored information
SQL/web server login attacks (minimalized via webhost [usually])
stream intercepts, requires use of SSL which costs money

There are probably more, these are just some of the main ones that I can think of right now.

Yes you are doing the transaction manually, but that part is moot if you look at the risks involved in merely retrieving and storing the CC information, let alone the actual processing of payment.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Differ the actual card storage risk to a (well known and trusted) third party.
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Post by aceconcepts »

Thanks a lot to all of you who gave me feedback.

I agree 100% that this issue should be out-sourced to a thrid party. It's trying to convince "non-techy" people who are set in their ways that is hardest!!!

Anyway, thank you.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

aceconcepts wrote:I agree 100% that this issue should be out-sourced to a thrid party. It's trying to convince "non-techy" people who are set in their ways that is hardest!!!
I find it rather easy. "Do you want the liability and cost of liability insurance to store, in any form, for any amount of time, sensitive financial information such as credit cards?" They often answer "no" quickly. :)
Post Reply