SitePoint Sponsor

User Tag List

Results 1 to 12 of 12

Thread: security issue

  1. #1
    get into it! bigduke's Avatar
    Join Date
    May 2004
    Location
    Australia
    Posts
    847
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    security issue

    The client has a peculiar requirement of storing the CC no: for order processing.
    Steps taken so far :
    1. The script that takes the cc and the one that puts it in the db are on ssl.
    2. the cc no: is encrypted and stored in the db.

    Do I need something more to beef up security? I've been a bit skeptical about this whole thing right from the beginning.

  2. #2
    SitePoint Evangelist TRISPECTIVE's Avatar
    Join Date
    Sep 2002
    Location
    n/a
    Posts
    477
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, be sure the database is not vulnerable to unauthorized access either

  3. #3
    SitePoint Enthusiast mullen's Avatar
    Join Date
    Jul 2004
    Location
    Durham, UK
    Posts
    82
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would be VERY wary of storing the credit card number, even if encrypted. Also, bear in mind that there are legal issues with storing the CVV2 number (the three digit number from the back of the card) - i.e. you aren't allowed to store it.

  4. #4
    SitePoint Evangelist TRISPECTIVE's Avatar
    Join Date
    Sep 2002
    Location
    n/a
    Posts
    477
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mullen
    I would be VERY wary of storing the credit card number, even if encrypted. Also, bear in mind that there are legal issues with storing the CVV2 number (the three digit number from the back of the card) - i.e. you aren't allowed to store it.
    I wasn't aware about the law regarding the CVV number. Is it forbiden in any state or country? Just asking because, if you do manual processing you would need that too and I didn't know about any law preventing the storage of the number.

  5. #5
    get into it! bigduke's Avatar
    Join Date
    May 2004
    Location
    Australia
    Posts
    847
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh dang do you really need the CVV for manual processing? If so, this calls for some last minute tweaks. However so far from what you chaps have said has reinstated my confidence.

    Thanks

  6. #6
    SitePoint Enthusiast mullen's Avatar
    Join Date
    Jul 2004
    Location
    Durham, UK
    Posts
    82
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It depends on your payment processor whether or not you need the CVV2 number. I believe it's usually optional whether or not to use that extra form of security.

    From what I've read, it's illegal to store that number in the UK, but I haven't got a clue about other countries/U.S. states.

  7. #7
    SitePoint Evangelist TRISPECTIVE's Avatar
    Join Date
    Sep 2002
    Location
    n/a
    Posts
    477
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, there still are a couple of both automated/instant and manual processors that don't require the CVV number. Some other just have it optional, for extra security, as mullen said. However, almost everybody uses the CVV for credit card transactions nowadays, and since it provides some extra security, you should use it.

    About the storage of the CVV number, I think that if they forbid the storage of this number, they should forbid the storage of the entire credit card information. I mean, suppose a thief steels your wallet with the credit cards in it. Since he gets to the plastic he then also gets to the CVV number that is plainly written on the back of the plastic. Then, if he bumps into a shop requiring the CVV number he would have no problem.
    Anyway, what I am trying to say is that they either should allow the storage or forbid it for the entire card. But, hey, laws are laws

  8. #8
    SitePoint Evangelist TRISPECTIVE's Avatar
    Join Date
    Sep 2002
    Location
    n/a
    Posts
    477
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh.. and about the cart system you are trying to develop, first rule in your check up would be "never trust information from the client side". A lot of carts felt for that one. What I mean is double check all inputs parsed by the user side so that you don't fall for any sql injection, XSS, price manipulation issues, etc.

  9. #9
    SitePoint Enthusiast mullen's Avatar
    Join Date
    Jul 2004
    Location
    Durham, UK
    Posts
    82
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TRISPECTIVE
    Well, there still are a couple of both automated/instant and manual processors that don't require the CVV number. Some other just have it optional, for extra security, as mullen said. However, almost everybody uses the CVV for credit card transactions nowadays, and since it provides some extra security, you should use it.

    About the storage of the CVV number, I think that if they forbid the storage of this number, they should forbid the storage of the entire credit card information. I mean, suppose a thief steels your wallet with the credit cards in it. Since he gets to the plastic he then also gets to the CVV number that is plainly written on the back of the plastic. Then, if he bumps into a shop requiring the CVV number he would have no problem.
    Anyway, what I am trying to say is that they either should allow the storage or forbid it for the entire card. But, hey, laws are laws
    The CVV2 number is intended to protect "Cardholder not present" transactions, i.e. those conducted over the phone or Internet. It's to protect against things like people finding till receipts or credit card statements containing the card number. If you don't have the actual card, you won't know the CVV2 number.

    I'm not 100% on all of this so it's worth checking out further to get the latest info. You may well be able to store it temporarily, for instance, if you do batch processing of orders at the end of the day.

  10. #10
    SitePoint Evangelist TRISPECTIVE's Avatar
    Join Date
    Sep 2002
    Location
    n/a
    Posts
    477
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, another option would be temporary storage. You would store it till they end of the day and after you process it you delete it.
    Oh, in this case I suppose you will not be able to have recurring billing?

    Anyway, as you said, it should be checked out to be sure how things are and get the latest info on this matter.

  11. #11
    SitePoint Guru okrogius's Avatar
    Join Date
    Mar 2002
    Location
    US
    Posts
    622
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can store CVV2 untill the first transaction. If you store it past that time you're violating your agreement with Visa/Mastercard/etc.

    And you certainly can have your recurring biling. You do not need a CVV2 to charge a card. The only reason you need it from the start is to make yourself feel safer with an extra security measure. By your 2nd recurring charge, you're already confident of the card as you already tested it.

  12. #12
    SitePoint Evangelist TRISPECTIVE's Avatar
    Join Date
    Sep 2002
    Location
    n/a
    Posts
    477
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, true, you wouldn't need the CVV for recuring if everything went fine on your first charge attemp.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •