[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-developers] SSL on RAQ 4 basic help
- Subject: RE: [cobalt-developers] SSL on RAQ 4 basic help
- From: "Paul Johnson" <paul@xxxxxxxxxxxxxxxxxx>
- Date: Wed Nov 21 14:46:01 2001
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
I'd strongly recommend NOT emailing credit card info under ANY
circumstances. Instead, email them a link to a secure web page which
requires them to log in (and which is an HTTPS: page so transmission is
encrypted). That page should display the order and credit card info. It
should have two buttons: PRINT and ERASE CARD #. ERASE removes the credit
card information from your server, so you don't have a database of credit
card numbers sitting around for someone to steal. Even better if it wipes
out all but the last 4 digits of the card number, so you have the "ends in"
digits for reference. Once they've printed their hardcopy of the order,
there's no need to keep any digital credit card data.
This is the way we handle this for our clients who want to take credit cards
but who don't want on-line card processing. We go one step further and
force clearing of the credit card data after a week in case they neglect to
click ERASE.
- Paul -
-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of Hosting
Sales
Sent: Wednesday, November 21, 2001 10:29 AM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-developers] SSL on RAQ 4 basic help
> -----Original Message-----
> From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-
> admin@xxxxxxxxxxxxxxx] On Behalf Of FS
> Sent: Wednesday, November 21, 2001 6:01 AM
> To: cobalt-developers@xxxxxxxxxxxxxxx
> Subject: [cobalt-developers] SSL on RAQ 4 basic help
>
> Hi,
>
> Can anyone help.?
>
> I'm trying to set-up a secure connection for a client who wants users
to
> enter credit card details on a web page and then have these emailed to
> them.
> No real On-line payment is happening so my thoughts on how to do this
> would
> be to set up a secure connection via SSL and then send the email using
> APOP.
> Is this the best way to do this? If so, how do I actually use the SSL
on a
> web page? I know how to activate it on a site, but how do I actually
> implement it for a particular web page (i.e.. the page that has the
> details
> entered on to it..)?
>
> I know this is probably quite basic stuff, but would really appreciate
> some
> help.
>
> Thanks
>
> F.
>
It is considered very bad form (and misleading) to use a secure site to
gather confidential information (such as a credit card number) and then
use a less secure means (such as plain-text email) to forward the
gathered information over the 'Net to another host. Don't even think
about doing this unless the email (end to end, not just host to host)
will use a level of encrpyption at least as good as that of your web
server (probably 128-bit). Likewise, don't store the data unencrypted
in any files on any system, including the secure server and the mail
server.
When browsing clients see the padlock icon, they have certain
expectations of information privacy. You may be opening a king-size can
of worms if you violate those expectations for the sake of expediency.
Jack
_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers