credit card information processing

Printable View

Show 40 post(s) from this thread on one page

October 22nd, 2004, 04:17 PM
steve.milner

OK , in the UK, to process CC information you have to be approved by a body called APACS - and I'm assuming you would have to obtain similar approval to bill the customer in this manner.

The best advice I can give is discuss it with your approval body or the providers of any systems or software used to submit credit card data, since if you are not approved, they will be and will need to ensure that you are using the systems in an approved manor.

Personally I would be suprised if anyone gave you permission to do this, especially with only a 3 digit pin and that the pin is being sent via sms.

Storing CC info is not a problem in itself. Having systems compromised and the information stolen will represent a problem for you.

Steve
October 22nd, 2004, 04:44 PM
TrEp

littlenick I never said it will never be hacked, I said it has never been hacked nor has it ever been compromised by an internal or external force. AS/400's have been around for about 16 or so years and have never been hacked. Why? Because they don't teach AS/400 in colleges anymore, in fact the only places I have been able to find that do teach AS/400 and RPG programming was in canada and a few seminar training courses around the US. Not to mention the very strict auditing done on banks, hell banks aren't even allowed to have a AS/400 programmer on staff they have to outsource because having a programmer with constant access to a live working AS/400 is about as safe as jumping out of a plane without checking the parachut, sure more then likely it will open and everything will be fine but if it doesn't you're ****ed.
October 22nd, 2004, 05:29 PM
cacosapo

Quote:

... because having a programmer with constant access to a live working AS/400 is about as safe as jumping out of a plane without checking the parachut, sure more then likely it will open and everything will be fine but if it doesn't you're ****ed.

now im confused. So you think that an AS/400 is secure or not? It secured by itself or its just an obscure O.S. so no one can break it because no one knows?
October 22nd, 2004, 08:41 PM
TrEp

Lots of people know about AS/400s. Programming on an AS/400 however is a different story, as/400 programmers range in the 40-70 year old range there's not a big group of them hitting the market because alot of colleges no longer teach it, infact there's a big myth that the AS/400 is legacy because it's old which couldn't be further from the truth. IBM eserver AS/400 iSeries are multiprocessing multiuser beasts, they never crash, they don't get viruses, and they've never been hacked.
October 22nd, 2004, 08:46 PM
cacosapo

Quote:

.. as/400 programmers range in the 40-70 year old range

I agree with that. In fact im an AS/400 programmers (and an OS/400 sec officer too) and i fit in that range :)

BTW, OS/400 is an amazing O.S. on an amazing machine. However, it CAN be hacked (i dont know any virus although) just using technics applied to other platforms: administrator stupidity. Most AS/400 around the world are bad administrated and can be easly hacked thru the network with 10 min effort. Just because some ppl cant read the damn manuals..
October 22nd, 2004, 09:00 PM
TrEp

I didn't say it couldn't I said it never has been :P atleast none that I've ever messed with. If OS/400 was actually more accessable to the public I would assume someone would create a virus for it although due to the limitability of access and the file system structure I would have to say we won't be seeing viruses for it in me or your lifetime. I can access the 400 from anywhere else in the network but then again I know the username and password(defies the point I guess). In a bank environment however they aren't allowed to house a programmer on staff which makes hacking the as/400 internally kind of stupid? Sure human error has come into play before when people mistype end* commands without checking F4 and bring down subsystems but I don't exactly call that hacking.
October 23rd, 2004, 03:12 PM
littlenick

a friend of mine used his father's credit card information to access a porn site(it was some two years ago)later his father found out that some one in iran used his credit card information to shop online.
the administrator of that site probably stored that credit card information in database and used it later on for shopping(i guess).
he probably never sent it for any processing or validation or even if he did he also saved it in his database.
i don't have the URL of that site coz i don't have any contact with him now.as far as using credit card info. on net is concerned how can anyone be sure that it will not be misused(or saved and later used illegally).
In many country's there is no law against using someone else's credit card info. for shopping.
as far as mobile banking and mobile reservation is concerned i don't think it is by any means secure(from a users point of view).
say i am told to send my credit card info by SMS to a number(say 8888)how can anyone be sure that no human will se that information.
there is no encryption involved data in SMS may be processed by humans or by software(or machines).
so by no means it can be secure.and hackers(social engineers)might get anather mathod of gaining ur banking info or credit card information as there is no law involved.
we can only talk about the need of a global cyber law and a global athority to enforce that law but in present situation we have to face it.
i don't think this mobile business(usage of credit card to reserve your ticket) is an attractive idea(from a user's point of view to who security is of atmost concern).
and surely it is a attractive idea to pplz who don't think twice before using there credit card information on net or for that matter on mobile devices.
the question is simple what should be done in order to make this ticket reservation system as secure as possible coz we want to be honest with ourself(it is our graduation project also a live project).
there are two options(again)
1- force users to send there credit card information in SMS each time they want to secure a seat.
2-save there credit card information in our database in encrypted form and allot them a pin(which they send in SMS to reserve a seat

both mathods have security risk involved but personally i can't think of any other mathod.
October 23rd, 2004, 05:37 PM
slarty

Re: credit card information processing

Quote:

Originally posted here by littlenick

the question is can a perticular web site store users credit card info in its database?

They can and do.

Quote:

I mean is there any law about it?

That is probably locality-specific.

Quote:

If not then can that site claim to be secure ?
i mean if credit card information is stored in there database then they can't be secure can they?

It is reasonable for customers of a site which collects credit card information to assume that the site has adequate security against any security compromise. A security compromise would allow an attacker to collect CC numbers, whether they are stored in a database or not.

Quote:

And if i am right what changes can be made in this project?

Many payment service providers allow you to use an API to make repeat purchases from a card without needing to store its details in your own database. In fact, they do this by storing the CC details on your behalf.

Ask your PSP whether they support this feature and integrate with it. Then you can do what your want without storing the details.

Slarty

Show 40 post(s) from this thread on one page