Page 1 of 1
Credit card details submit considerations
Posted: Thu Jul 19, 2007 11:13 am
by aceconcepts
Hi,
I want visitors to my site to be able to pay for registration to events.
What security risks should I take into consideration when developing such a feature and what would be the best form defence against these risks?
Please not: I am not asking for in-depth answers, I'm simply trying to understand where the important risks lie.
Thanks.
Re: Credit card details submit considerations
Posted: Thu Jul 19, 2007 11:29 am
by John Cartwright
aceconcepts wrote:what would be the best form defence against these risks?
The risks generally far outweigh the benefits, considering you can easily outsource the transaction aspect of your website to a 3rd party (paypal, epassporte, etc).
Posted: Thu Jul 19, 2007 11:45 am
by aceconcepts
This is true, but we will not be processing the card details online. They will be downloaded and manually processed.
I know what you thinking...but this not my idea. I'm simply the builder and thats it.
So any thoughts would be appreciated.
Thanks.
Posted: Thu Jul 19, 2007 12:02 pm
by phpdevuk
I believe here in the UK there are legal reason why you can't hold credit card details online, I think alot of the banks won't work with you either if you do, one place I worked looked into developing a system to hold details encrypted with various security checks in place.
Posted: Thu Jul 19, 2007 12:39 pm
by boo
I am pretty sure you can be fined and lose your ability to process credit card transactions with visa if you dont adhere to these standards
https://www.pcisecuritystandards.org/
Here is a little more info from VeriSign
Payment Card Industry Compliance
The Payment Card Industry (PCI) Data Security Standard was created by major credit card companies to safeguard customer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers meet certain minimum
standards of security when they store, process and transmit cardholder data.
http://www.verisign.com/verisign-busine ... index.html
Posted: Thu Jul 19, 2007 1:32 pm
by TheMoose
In terms of developing the app:
SQL injection attacks to retrieve stored information
user/admin login attacks to view personal/private information
SQL user/admin login attacks to gain access to stored information
SQL/web server login attacks (minimalized via webhost [usually])
stream intercepts, requires use of SSL which costs money
There are probably more, these are just some of the main ones that I can think of right now.
Yes you are doing the transaction manually, but that part is moot if you look at the risks involved in merely retrieving and storing the CC information, let alone the actual processing of payment.
Posted: Thu Jul 19, 2007 11:38 pm
by feyd
Differ the actual card storage risk to a (well known and trusted) third party.
Posted: Fri Jul 20, 2007 3:39 am
by aceconcepts
Thanks a lot to all of you who gave me feedback.
I agree 100% that this issue should be out-sourced to a thrid party. It's trying to convince "non-techy" people who are set in their ways that is hardest!!!
Anyway, thank you.
Posted: Fri Jul 20, 2007 5:19 pm
by feyd
aceconcepts wrote:I agree 100% that this issue should be out-sourced to a thrid party. It's trying to convince "non-techy" people who are set in their ways that is hardest!!!
I find it rather easy. "Do you want the liability and cost of liability insurance to store, in any form, for any amount of time, sensitive financial information such as credit cards?" They often answer "no" quickly.
