[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] payment method

Subject: Re: [cobalt-users] payment method
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Thu Feb 15 21:10:02 2001
Organization: nobaloney.net
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Carrie Bartkowiak wrote:

> My problem is with Option 2.
> I'm really *really* wary about putting a customer's cc info anywhere on a
> server where there are also hosting clients.

That's a good feeling in this case <smile>.

> Customers with telnet can just
> go and browse into folders and gather information at their leisure - so
> that's out. Even if the folder is password protected, it still won't stop
> someone who's got shell access. (Unless someone can tell me what
> permissions/ownerships to put on a folder so that the server can go in and
> write to a file, but no one from telnet can browse in there except for
> root?)

Yes, I'm about to tell you, but remember, it's still a bad idea to keep
credit card information on a server.

--w--w---- (or in otherwords, chmod 220), where the owner or the group
of the file is apache's "owner" or group.

> I can put the info into a MySQL table but again, I'm not comfortable enough
> with the security to do this.

Still not a good idea.

So what can you do?

You can use an offsite gateway, such as authorize.net.

> But I really do want the ability to let the host keep the cc info on hand
> and then they've got it for monthly billing, extra fees for time spent
> helping the customer, etc.

But authorize.net won't ever send you the credit card info, so that
won't work.

> Does anyone have any suggestions about where I can dump the cc info and be
> confident that it's safe?  Even a temporary situation would work, where the
> info gets dumped until the host has the opportunity to go in and record it
> on paper and delete the entries once a day or something - but I still want
> the info to be as safe as possible (again, from telnet access).

Next best idea (but you'd better make sure your server is very secure;
in fact more secure than a Raq can be, imho), is to get the credit card
info, keep it only in memory, and only long enough to run it through a
secure gateway for verification, then send it encrypted (public/private
key pair) to an email address, then delete every instance of it in clear
text.

And I'd still be wary.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
nobaloney.net
P. O. Box 52672
Riverside, CA  92517
voice: (909) 787-8589  *  fax: (909) 782-0205

Follow-Ups:
- Re: [cobalt-users] payment method
  - From: Curtis E. Hays II

References:
- [cobalt-users] payment method
  - From: Carrie Bartkowiak

Prev by Date: RE: [cobalt-users] last bit of hacker droppings.
Next by Date: Re: [cobalt-users] payment method
Previous by thread: RE: [cobalt-users] payment method
Next by thread: Re: [cobalt-users] payment method

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index