credit card information processing

[littlenick]

a friend of mine is making a project on airline reservation system through mobile here is the basic idea.

1. A customer open a web site and fills a registration form in which he gives his credit card info. and mobile with other info like name and address.
2. if the credit card info provided by that user is valid he is given a 3 digit PIN and his credit card info is saved in database of that site.
3.when he wants to make a reservation he has to send a sms to a pertivular number this SMS include 3 digit pin and details of flight and so on.

A perticular user can only make a reservation from his mobile number only(for security reasons).

the question is can a perticular web site store users credit card info in its database?
I mean is there any law about it?
If not then can that site claim to be secure ?
i mean if credit card information is stored in there database then they can't be secure can they?

And if i am right what changes can be made in this project?

[devildell]

i'm not sure of any law, but to answer your question regarding security nothing is safe. there is always ways for users credit card numbers to be compromized.....
one rule to keep in mind is that no computer is secure while it is connected to a network or the internet

many sites clame to be secure because of that https (encriped hyper text transfer protocol)
however i am still very weary of giving any kinda of info to a site i don't trust....

[Juridian]

Storing credit card information in a database is generally a bad idea and usually not necessary. Most of the reporting and other duties requiring that type of information can be handled via a hashed cc# or just keeping the span (so...first 4 and last 4).

If it is absolutely required to store the information in a database there are ways to manage the risk involved.

I would not recommend asking for legal advice here, you need to go and ask someone qualified.

[cacosapo]

2. if the credit card info provided by that user is valid he is given a 3 digit PIN and his credit card info is saved in database of that site.
...
the question is can a perticular web site store users credit card info in its database?
I mean is there any law about it?

some companies store your CC number for a small time (those that cant do the transaction on real time with CC company) but store it for ever isnt a good idea. And CC company will need also that 3 CVV to complete transaction. So, if someone stole that info, it will be hard to the customer to deny....

the SMS idea sounds good, but im not sure that is a safe way to do transactions. can it be intercepted? i think that someone can get the sms message, clone your cel phone and buy 1,000 tickets to China....

[TrEp]

Storing credit card numbers is completely legal and widely used by businesses, if you've ever been to Wal-Mart in the past 10 years then they have your credit card number on file. It's not a matter of whether or not the business is 'legally secure' there is no such thing other then the actually transmission of the transaction which does have requirements involving the encryption. If you trust a company and/or it's website enough to give them your credit card number then that's up to you. Different countries require different auditing measures when it comes to transaction record keeping, probably even different states but I don't know on that one.

[littlenick]

CACOSAPO u got it exactly right cloaning a SIM is pretty easy and there r problems in these mobile businesses but still every service is going mobile such as mobile banking mobile reservation systen mobile games and mail on mobile and so on.

as far as cc transection is concerned the ulternative my friend has on his project is to register a user from his web site process his credit card information(but not to store it)in this case he has to force the user to send credit card info in SMS along with other information.
here is anather question is it actually secure to send ur credit card information to a perticular number even if u know no human will process that information(i mean is data link of a mobile system secure medium can't they be hacked ?)even if they can't be i remember once i went inside a mobile service provider company's office i saw a computer with information about a perticular number specifically SMS details i can't say with confidence(i just had a look at it for a second or two) but i think i saw the data contained in each of SMS sent from that number in that perticular month.
secondly if i am asked to send my credit card information to some one through SMS for reservation i would think a thousond time before doing that.
as i said everything from banking to reservation is moving towards mobile hackers must be working on some thing to hack them too.

[TrEp]

Your remark about hacking a bank is misguided. No AS/400 has ever been hacked. Hackers have various different ways to get someones credit card number from looking in trash cans, picking up receipts, sniffing data, creating fake websites. Then there are the people with a brain who know how the system works, I won't go into to much detail on this subject due to the fact that I could divulge information that could help people do fraudulent transactions. Bank's are heavily audited due to the fact that they control assests in the millions to billions of dollars.
CACOSAPO it is possible to have credit card transactions be real time, now exactness on the purchase amount is another subject, it would generally be off in instances where you have the amount sent from a restraunt and then you leave a tip. It all depends on where you bank and who that bank is driven by in relation to processing.

I'm done before this topic gets into a sticky situation.

[littlenick]

Sorry TrEp i don't agree has never been done and will never been done are two different things i read a joke in a book:
one day a guy found a magic lamp it was dirty he rubbed it with his hand to clean it suddenly a ginnie appears he said "my lord u have three wishes that i can fulfil what can i do for u?"
the guy said i want 10 beautiful cars.

ginnie rubs his fingures and his wish was fulfilled.

then the guy said i want to be the richest person in the world.
ginnie rubs his fingure and his second was also fulfilled.
now the guy said "my last wish is that i want to be irresistible to woman"
ginnie rubs his fingure and the guy turns into a box of chocolates.

technology to human is what ginnie was to that guy if properly used it can be a our best friend if we don't give proper attention to security then what happened to that guy can just be the case with u.

when hackers have many ways of getting credit card information or access to your bank account they won't mind getting one more mathod would they?

human are supposed to make mistakes but we should better try not to make those mistakes or atleast learn from our past experience.

we should always try to learn from our mistake.

[xmaddness]

Originally posted here by TrEp
Storing credit card numbers is completely legal and widely used by businesses, if you've ever been to Wal-Mart in the past 10 years then they have your credit card number on file. It's not a matter of whether or not the business is 'legally secure' there is no such thing other then the actually transmission of the transaction which does have requirements involving the encryption. If you trust a company and/or it's website enough to give them your credit card number then that's up to you. Different countries require different auditing measures when it comes to transaction record keeping, probably even different states but I don't know on that one.

TrEp,

You are correct in saying that storing credit card numbers is completely legal, although I must agree with Juridian on the fact that it is not reccomended to store credit card numbers in a web server database system environment. In all of the credit card verification systems I have created, we only transmit the CC information, encrypted in ssl, and hashed together with a custom private key, and many other elements, which is only known by ourselves and the credit card clearing house's system. Not to mention the key is changed regularly.

The CC number is then discarded, and only the last four cc numbers are stored in the local webservers database. This, along with the Customers info, is all that is needed to do refunding and furthur transactions.

The credit card clearing house that you will use to clear the transaction should be left to hold onto the creidt card information. They are properly insured, and secured, to handle any type of incident, and will leave you less liable if the customers card number and information gets leaked. They also can handle any refunds, monthly service transactions, etc that may be needed by your company.


As far as the WalMart example, Walmart's main database of credit card information is most likly handles by an outside data farm company that properly secures this info, and will definetly not be accessible from outside of their WAN and be accisible to the web server.


sincerely,
xmaddness
Planet Maddness Industries
http://www.planetmaddness.com

[TrEp]

Ahh I misunderstood, xmadd is correct in regards to the storing of the information.. I didn't read the part about storing it on a webserver database. I figured it would be comon knowledge to store sensitive data offsite and I wasn't referring to where to store the data just that it was legal to store the data.
xmadd this is sysop by the way :P