SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 27
  1. #1
    SitePoint Enthusiast
    Join Date
    Dec 2008
    Location
    Idaho
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Sending Credit Card/SSN through email... bad idea?

    Ok, I have designed a web site for a client of mine that does Rental property management. She wants customers to be able to apply online for properties, which requires them to enter a SSN and Credit Card info so they can charge them an application fee. Then she wants that info emailed to her. I have the form created, and it emails fine, I just post the data and use an email class to send it all that works well. But I didn't want to activate it till I got a more experienced opinion on this. I feel really uneasy about emailing that data. I'm using an SSL connection with the script (don't know how much that will help) but I am really new to php security. I've been programming with php for a while now, but I havn't dealt with any e-commerce or important info such as this. Any tips on if this is do-able or if I should take another route, OR if I should just can it all together and make them pay at the office (which is an option). Please let me know ASAP cause the site is going to be online soon. Thanks in advance!

    Joe

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Very very very bad idea, don 't do it.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Evangelist simshaun's Avatar
    Join Date
    Apr 2008
    Location
    North Carolina
    Posts
    438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    SSL is all fine and dandy but sending them trough email is a nono, as logic_earth says.
    In many states, storing the SSN in plain-text like that is illegal. In fact, you should never store/send a SSN in plain-text to begin with.

    If your client wants to charge them an application fee, you can either make the client do it manually through her merchant account or setup a payment gateway such as Authorize.net to do it upon form submission. You can also setup Authorize.net to do an AUTH on the credit card, which only verifies it. Your client then has 30 days to CAPTURE the transaction (charge the card).

    As for storing credit card information, see this pdf.
    Wherever you store the credit cards must be PCI compliant, or you/your client will probably be risking major fines and revocation of her merchant account.
    As for SSN, do your research and investigate your state's Privacy laws.
    Last edited by simshaun; Feb 5, 2009 at 17:57.

  4. #4
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Explain to your client that writing cc no. in an email is about as secure as writing it on a postcard, worked for me in the past.

  5. #5
    SitePoint Enthusiast
    Join Date
    Dec 2008
    Location
    Idaho
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the quick replies everyone. I'll probably just have her use paypal or something instead. So the problem isn't really "passing the data" but just the fact that is stored in plain text sitting in someones email? Is it possible for people to "catch" and outgoing email or something from the site? Or is that highly unlikely?

  6. #6
    SitePoint Member
    Join Date
    Feb 2009
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think paypal is a safe bet. Or you could contact this person on the phone...

  7. #7
    SitePoint Addict pointbeing's Avatar
    Join Date
    Jun 2004
    Location
    London, UK
    Posts
    227
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In some countries, this would probably be illegal. In general, do make sure that you understand the legal ramifications of capturing, and subsequently transmitting this kind of sensitive data, before you get yourself into a nasty situation.

  8. #8
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    At least an ethical point of view, I wouldn't feel comfortable providing just any old transport/collection/storage of such info. Nor would I feel comfortable giving it to them in some type of volatile insecure container like a text file, even if transport and collection was solid. I would freak out if I knew my SSN or credit card number was on the typical users computer. Soooo many people have viruses and keyloggers and all kinds of junk on thier computers. They don't know any better, but you do.

    Collecting sensitive and valuable info like SSN or credit card numbers on a shared webserver is just asking for it. It doesn't matter if you choose not to store the data on the server. It really needs to be vps or dedicated. Other users on your box with filesystem access can change config/files to listen in on your scripts, from the inside. Usually pretty easily too...

    I think by taking a firm stance about the importance of secure handling of such data, and offering alternate solutions, you can do the right thing here, and your client will probably even treat the info with more respect once it eventually does get into thier hands.

  9. #9
    SitePoint Addict
    Join Date
    Nov 2008
    Location
    Peterborough, Ontario, Canada
    Posts
    316
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It is now very illegal in the United States to store information in plain text! Even if you use the phone and store the card on file it's still illegal. You can be hit huge with penalties - especially if something goes wrong. Finding a payment gateway (like PayPal) is a VERY good idea. The small hit in fees is likely to save you a lot of money should something go wrong!
    Have I helped you? You could help me.
    Like my business on facebook!
    Text message polls with real-time, live results.

  10. #10
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If it is supposedly illegal, can you point me to the specific title/section of the U.S. Code? The US doesn't have strong privacy laws and this sounds like one of those law rumors. The biggest risk about improperly storing personal information is that you will lose your contacts with third parties (payment processors, banks, etc.).

    But on the subject of the thread, yes, it is a very bad idea as many have stated.

  11. #11
    SitePoint Evangelist simshaun's Avatar
    Join Date
    Apr 2008
    Location
    North Carolina
    Posts
    438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No idea if it's illegal according to the US Government, but some states do enforce protecting personal information, such as North Carolina.

    In the US, I know you do have to be PCI compliant though (if storing CC information).
    Read this first.
    See this article, pay attention to question 9.

  12. #12
    SitePoint Guru
    Join Date
    Jan 2005
    Location
    heaven
    Posts
    953
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jeffvdovjak View Post
    It is now very illegal in the United States to store information in plain text! Even if you use the phone and store the card on file it's still illegal. You can be hit huge with penalties - especially if something goes wrong. Finding a payment gateway (like PayPal) is a VERY good idea. The small hit in fees is likely to save you a lot of money should something go wrong!
    That's ridiculous. Its not illegal to store information in plain text.

    Off Topic:

    There is nothing secure about credit cards to begin with. My CS professor did a lecture on credit card fraud and identity theft last semester and I was shocked at how simple it was to get the credit card information and a persons full identity from the magnetic strip on a credit card. And everything you need to know about retrieving the information is in the code of federal regulations. >.>
    Creativity knows no other restraint than the
    confines of a small mind.
    - Me
    Geekly Humor
    Oh baby! Check out the design patterns on that framework!

  13. #13
    SitePoint Enthusiast
    Join Date
    Dec 2008
    Location
    Idaho
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah I doubt storing someones credit card / personal info is completely illegal. I understand there is probably some sort of requirements, but if it was so illegal then how does my school have my social security and debit card number sitting in their file cabinet right now.

    This is an interesting topic though, because eventually I want to program a website that will handle credit card numbers and money transactions (big idea a friend and I have), but obviously it probably won't be online for over a year or so cause I'm sure there are a lot of laws that we need to research and I need to start learning more about security. I would hate to hear about a bunch of (my client's) clients getting their info stolen and have it be on my chest that I could have done something about it before hand... I told my client what the situation was and she hasn't responded specifically to that topic yet, I'm sure she will understand though.

  14. #14
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,196
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by simshaun View Post
    In the US, I know you do have to be PCI compliant though (if storing CC information).
    That is not completely correct. You need to be PCI Compliant to even process credit cards through a merchants API system.

    However, the PCI Compliance level you need for that is lower than what you need for storing credit cards. There are multiple PCI Compliance levels, all after how you handle the creditcard data and on the number of transactions you do.

    Quote Originally Posted by LiquidDigital View Post
    Yeah I doubt storing someones credit card / personal info is completely illegal. I understand there is probably some sort of requirements, but if it was so illegal then how does my school have my social security and debit card number sitting in their file cabinet right now.
    If your school store that on a piece of paper, then they are breaking the law/rules. The fact that someone else do it, does not make it legal.

    For processing credit cards, its not a problem just get a merchant account and use their API service. That way you get away with the lowest level of PCI Compliance.

  15. #15
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To my knowledge, PCI compliance has no bearing or relation to US law. It's part of the contract you sign with your payment processor / bank.

    I'm not sure that US law has any provisions of this nature. We're not very strong in privacy laws.

  16. #16
    SitePoint Enthusiast
    Join Date
    Dec 2008
    Location
    Idaho
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So its illegal to store a CC number on a piece of paper, but not illegal to store it on a server some where?

    I understand that just because somebody else does it, doesn't make it legal. But you would think that if a university did it they would probably want to do it right, or why arn't they caught by now... so if it is illegal and they DO store it on a piece of paper somewhere, the government must not care that much.

  17. #17
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,196
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sk89q View Post
    To my knowledge, PCI compliance has no bearing or relation to US law. It's part of the contract you sign with your payment processor / bank.

    I'm not sure that US law has any provisions of this nature. We're not very strong in privacy laws.
    The PCI Compliance is as you mentioned enforced onto you by the credit card companies.

    Though most probably there is a law that can be related to it as credit card would be considered personal information in US as well. At least we a law that can be used against storing personal information unsecure in Norway.

    Quote Originally Posted by LiquidDigital View Post
    So its illegal to store a CC number on a piece of paper, but not illegal to store it on a server some where?

    I understand that just because somebody else does it, doesn't make it legal. But you would think that if a university did it they would probably want to do it right, or why arn't they caught by now... so if it is illegal and they DO store it on a piece of paper somewhere, the government must not care that much.
    To be able to store the CC information on a server you need to have the highest level of PCI Compliance. This entails that the server where the CC information is stored on has to be on a local network seperated from the internet. It has to follow specific security mesures, and those has to be tested at set intervals etc. So unless your a large organization, doing this would cost way too much. This is the reason most companies let their merchant company handle this aspect.

    Also keep in mind that you are not allowed to store the cvv information at all.

    For your second question, remember there is two kinds of laws. One that apply to us normal people and one that apply to the goverment/state. The last one and people working for the last one can sometimes get away with the most amazing things which would get others put in jail for a very long time.

  18. #18
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Debating whether or not storing the information is legal or not is irrelevant, given that the credit card companies have legal standing to impose severe penalties on you, and all involved in a breach if security procedures are not followed. Considering the penalties involved, ANY developer would be a fool to store that information, without the proper PCI compliant security measures in place. Anything else is playing with fire.
    Visit my blog
    PHP && Life
    for technology articles and musings.

  19. #19
    SitePoint Enthusiast
    Join Date
    Dec 2008
    Location
    Idaho
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I understand that debating on the topic of storing a CC number is irrelevant to the topic, I came to the conclusion long ago that I wasn't going to email a CC number or even store one in a database at this point. But I just thought it was pretty ridiculous that people are throwing out comments that it is completely illegal to store a cc number...

  20. #20
    SitePoint Addict
    Join Date
    Nov 2008
    Location
    Peterborough, Ontario, Canada
    Posts
    316
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by imaginethis View Post
    That's ridiculous. Its not illegal to store information in plain text.

    Off Topic:

    There is nothing secure about credit cards to begin with. My CS professor did a lecture on credit card fraud and identity theft last semester and I was shocked at how simple it was to get the credit card information and a persons full identity from the magnetic strip on a credit card. And everything you need to know about retrieving the information is in the code of federal regulations. >.>
    You are right in that there is no security on a credit card. Unlike a bank card there is no encryption on the magnetic swipe. However, read the following article. It is both true for your employees and your customers.

    New Identity Theft Law Creates Lawsuit Threat For Small Businesses
    Press Release June 13, 2008

    (June 11, 2008) - In an effort to combat Identity Theft, the final provisions of The Fair and Accurate Credit Transactions Act (FACTA) expand the Identity Theft component of the Act. According to these new provisions, companies that haven’t taken “appropriate measures” to safeguard information from Identity Theft can be sued and face not only civil, but criminal penalties. TLV Group’s risk and compliance division is focused on helping smaller businesses comply with these provisions in a timely and cost effective manner.

    “This law exposes smaller businesses to bet-the-company litigation risks that are onerous and can be mitigated with proper planning,” says Lisa Vann, Vice President of Operations for TLV Group.

    As stated in the Winter 2007 issue of Texas Business Today released by Texas Commissioner Ron Lehman, “Simply put, if data aiding an identity theft originates from a security breach at your company, you could be sued, fined, or become a defendant in a class-action lawsuit by affected employees whose personal information has somehow gotten out.”
    Source: http://smallbiztrends.com/2008/06/ne...usinesses.html

    These are fairly new laws that have come into effect. I heard a lot about it in the summer of '08 as they were then being prepared to come into effect (if I remember correctly). Many small business podcasts (including Wall Street's) spent time on this issue.
    Have I helped you? You could help me.
    Like my business on facebook!
    Text message polls with real-time, live results.

  21. #21
    SitePoint Member
    Join Date
    Feb 2009
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well its true that Sending Credit Card/SSN through email is a bad idea, as we can't say that our information is safe there. I don't thinks so that mailing our all data information to an known site is good or ok inspite this there would be sure some problems come to us.

  22. #22
    Floridiot joebert's Avatar
    Join Date
    Mar 2004
    Location
    Kenneth City, FL
    Posts
    823
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you can find no other alternative, you could compress the information to get into a binary format, then base64 encode the compressed information and include it in the email as an attached image.

    That should slip throught he cracks of any skimmers out there.

    Skimmers will take the time to decrpyt an intercepted email if they believe there's goodies inside it, but something that looks like a corrupted image isn't worth messing with unless they know to look for it.

  23. #23
    SitePoint Zealot zealus's Avatar
    Join Date
    Jan 2004
    Location
    NY
    Posts
    132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    We were working on some VirtueMart-powered shop recently and what I noticed about credit card processing is that it stores part of CC number in database and sends the other part through e-mail to admin/business owner. This way only the person who has access to both web site admin/DB and e-mail can recreate the full CC number. At least that's a rationale that (AFAIK) is considered compliant to current US regulations.

  24. #24
    Web Professional
    Join Date
    Oct 2008
    Location
    London
    Posts
    862
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by joebert View Post
    If you can find no other alternative, you could compress the information to get into a binary format, then base64 encode the compressed information and include it in the email as an attached image.
    Security by obscurity? I don't think so; especially when it comes to data as sensitive as CC numbers.

  25. #25
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could just downright encrypt it if you really want to send it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •