credit card information processing

Printable View

October 20th, 2004, 06:52 PM
littlenick

credit card information processing

a friend of mine is making a project on airline reservation system through mobile here is the basic idea.

1. A customer open a web site and fills a registration form in which he gives his credit card info. and mobile with other info like name and address.
2. if the credit card info provided by that user is valid he is given a 3 digit PIN and his credit card info is saved in database of that site.
3.when he wants to make a reservation he has to send a sms to a pertivular number this SMS include 3 digit pin and details of flight and so on.

A perticular user can only make a reservation from his mobile number only(for security reasons).

the question is can a perticular web site store users credit card info in its database?
I mean is there any law about it?
If not then can that site claim to be secure ?
i mean if credit card information is stored in there database then they can't be secure can they?

And if i am right what changes can be made in this project?
October 20th, 2004, 07:04 PM
devildell

i'm not sure of any law, but to answer your question regarding security nothing is safe. there is always ways for users credit card numbers to be compromized.....
one rule to keep in mind is that no computer is secure while it is connected to a network or the internet

many sites clame to be secure because of that https (encriped hyper text transfer protocol)
however i am still very weary of giving any kinda of info to a site i don't trust....
October 20th, 2004, 07:08 PM
Juridian

Storing credit card information in a database is generally a bad idea and usually not necessary. Most of the reporting and other duties requiring that type of information can be handled via a hashed cc# or just keeping the span (so...first 4 and last 4).

If it is absolutely required to store the information in a database there are ways to manage the risk involved.

I would not recommend asking for legal advice here, you need to go and ask someone qualified.
October 20th, 2004, 07:43 PM
cacosapo

Re: credit card information processing

Quote:

2. if the credit card info provided by that user is valid he is given a 3 digit PIN and his credit card info is saved in database of that site.
...
the question is can a perticular web site store users credit card info in its database?
I mean is there any law about it?

some companies store your CC number for a small time (those that cant do the transaction on real time with CC company) but store it for ever isnt a good idea. And CC company will need also that 3 CVV to complete transaction. So, if someone stole that info, it will be hard to the customer to deny....

the SMS idea sounds good, but im not sure that is a safe way to do transactions. can it be intercepted? i think that someone can get the sms message, clone your cel phone and buy 1,000 tickets to China....
October 20th, 2004, 08:42 PM
TrEp

Storing credit card numbers is completely legal and widely used by businesses, if you've ever been to Wal-Mart in the past 10 years then they have your credit card number on file. It's not a matter of whether or not the business is 'legally secure' there is no such thing other then the actually transmission of the transaction which does have requirements involving the encryption. If you trust a company and/or it's website enough to give them your credit card number then that's up to you. Different countries require different auditing measures when it comes to transaction record keeping, probably even different states but I don't know on that one.
October 21st, 2004, 05:45 PM
littlenick

CACOSAPO u got it exactly right cloaning a SIM is pretty easy and there r problems in these mobile businesses but still every service is going mobile such as mobile banking mobile reservation systen mobile games and mail on mobile and so on.

as far as cc transection is concerned the ulternative my friend has on his project is to register a user from his web site process his credit card information(but not to store it)in this case he has to force the user to send credit card info in SMS along with other information.
here is anather question is it actually secure to send ur credit card information to a perticular number even if u know no human will process that information(i mean is data link of a mobile system secure medium can't they be hacked ?)even if they can't be i remember once i went inside a mobile service provider company's office i saw a computer with information about a perticular number specifically SMS details i can't say with confidence(i just had a look at it for a second or two) but i think i saw the data contained in each of SMS sent from that number in that perticular month.
secondly if i am asked to send my credit card information to some one through SMS for reservation i would think a thousond time before doing that.
as i said everything from banking to reservation is moving towards mobile hackers must be working on some thing to hack them too.
October 21st, 2004, 07:00 PM
TrEp

Your remark about hacking a bank is misguided. No AS/400 has ever been hacked. Hackers have various different ways to get someones credit card number from looking in trash cans, picking up receipts, sniffing data, creating fake websites. Then there are the people with a brain who know how the system works, I won't go into to much detail on this subject due to the fact that I could divulge information that could help people do fraudulent transactions. Bank's are heavily audited due to the fact that they control assests in the millions to billions of dollars.
CACOSAPO it is possible to have credit card transactions be real time, now exactness on the purchase amount is another subject, it would generally be off in instances where you have the amount sent from a restraunt and then you leave a tip. It all depends on where you bank and who that bank is driven by in relation to processing.

I'm done before this topic gets into a sticky situation.
October 21st, 2004, 07:43 PM
littlenick

Sorry TrEp i don't agree has never been done and will never been done are two different things i read a joke in a book:
one day a guy found a magic lamp it was dirty he rubbed it with his hand to clean it suddenly a ginnie appears he said "my lord u have three wishes that i can fulfil what can i do for u?"
the guy said i want 10 beautiful cars.

ginnie rubs his fingures and his wish was fulfilled.

then the guy said i want to be the richest person in the world.
ginnie rubs his fingure and his second was also fulfilled.
now the guy said "my last wish is that i want to be irresistible to woman"
ginnie rubs his fingure and the guy turns into a box of chocolates.

technology to human is what ginnie was to that guy if properly used it can be a our best friend if we don't give proper attention to security then what happened to that guy can just be the case with u.

when hackers have many ways of getting credit card information or access to your bank account they won't mind getting one more mathod would they?

human are supposed to make mistakes but we should better try not to make those mistakes or atleast learn from our past experience.

we should always try to learn from our mistake.
October 21st, 2004, 08:00 PM
xmaddness

Quote:

Originally posted here by TrEp
Storing credit card numbers is completely legal and widely used by businesses, if you've ever been to Wal-Mart in the past 10 years then they have your credit card number on file. It's not a matter of whether or not the business is 'legally secure' there is no such thing other then the actually transmission of the transaction which does have requirements involving the encryption. If you trust a company and/or it's website enough to give them your credit card number then that's up to you. Different countries require different auditing measures when it comes to transaction record keeping, probably even different states but I don't know on that one.

TrEp,

You are correct in saying that storing credit card numbers is completely legal, although I must agree with Juridian on the fact that it is not reccomended to store credit card numbers in a web server database system environment. In all of the credit card verification systems I have created, we only transmit the CC information, encrypted in ssl, and hashed together with a custom private key, and many other elements, which is only known by ourselves and the credit card clearing house's system. Not to mention the key is changed regularly.

The CC number is then discarded, and only the last four cc numbers are stored in the local webservers database. This, along with the Customers info, is all that is needed to do refunding and furthur transactions.

The credit card clearing house that you will use to clear the transaction should be left to hold onto the creidt card information. They are properly insured, and secured, to handle any type of incident, and will leave you less liable if the customers card number and information gets leaked. They also can handle any refunds, monthly service transactions, etc that may be needed by your company.

As far as the WalMart example, Walmart's main database of credit card information is most likly handles by an outside data farm company that properly secures this info, and will definetly not be accessible from outside of their WAN and be accisible to the web server.

sincerely,
xmaddness
Planet Maddness Industries
http://www.planetmaddness.com
October 21st, 2004, 08:31 PM
TrEp

Ahh I misunderstood, xmadd is correct in regards to the storing of the information.. I didn't read the part about storing it on a webserver database. I figured it would be comon knowledge to store sensitive data offsite and I wasn't referring to where to store the data just that it was legal to store the data.
xmadd this is sysop by the way :P
October 22nd, 2004, 04:17 PM
steve.milner

OK , in the UK, to process CC information you have to be approved by a body called APACS - and I'm assuming you would have to obtain similar approval to bill the customer in this manner.

The best advice I can give is discuss it with your approval body or the providers of any systems or software used to submit credit card data, since if you are not approved, they will be and will need to ensure that you are using the systems in an approved manor.

Personally I would be suprised if anyone gave you permission to do this, especially with only a 3 digit pin and that the pin is being sent via sms.

Storing CC info is not a problem in itself. Having systems compromised and the information stolen will represent a problem for you.

Steve
October 22nd, 2004, 04:44 PM
TrEp

littlenick I never said it will never be hacked, I said it has never been hacked nor has it ever been compromised by an internal or external force. AS/400's have been around for about 16 or so years and have never been hacked. Why? Because they don't teach AS/400 in colleges anymore, in fact the only places I have been able to find that do teach AS/400 and RPG programming was in canada and a few seminar training courses around the US. Not to mention the very strict auditing done on banks, hell banks aren't even allowed to have a AS/400 programmer on staff they have to outsource because having a programmer with constant access to a live working AS/400 is about as safe as jumping out of a plane without checking the parachut, sure more then likely it will open and everything will be fine but if it doesn't you're ****ed.
October 22nd, 2004, 05:29 PM
cacosapo

Quote:

... because having a programmer with constant access to a live working AS/400 is about as safe as jumping out of a plane without checking the parachut, sure more then likely it will open and everything will be fine but if it doesn't you're ****ed.

now im confused. So you think that an AS/400 is secure or not? It secured by itself or its just an obscure O.S. so no one can break it because no one knows?
October 22nd, 2004, 08:41 PM
TrEp

Lots of people know about AS/400s. Programming on an AS/400 however is a different story, as/400 programmers range in the 40-70 year old range there's not a big group of them hitting the market because alot of colleges no longer teach it, infact there's a big myth that the AS/400 is legacy because it's old which couldn't be further from the truth. IBM eserver AS/400 iSeries are multiprocessing multiuser beasts, they never crash, they don't get viruses, and they've never been hacked.
October 22nd, 2004, 08:46 PM
cacosapo

Quote:

.. as/400 programmers range in the 40-70 year old range

I agree with that. In fact im an AS/400 programmers (and an OS/400 sec officer too) and i fit in that range :)

BTW, OS/400 is an amazing O.S. on an amazing machine. However, it CAN be hacked (i dont know any virus although) just using technics applied to other platforms: administrator stupidity. Most AS/400 around the world are bad administrated and can be easly hacked thru the network with 10 min effort. Just because some ppl cant read the damn manuals..
October 22nd, 2004, 09:00 PM
TrEp

I didn't say it couldn't I said it never has been :P atleast none that I've ever messed with. If OS/400 was actually more accessable to the public I would assume someone would create a virus for it although due to the limitability of access and the file system structure I would have to say we won't be seeing viruses for it in me or your lifetime. I can access the 400 from anywhere else in the network but then again I know the username and password(defies the point I guess). In a bank environment however they aren't allowed to house a programmer on staff which makes hacking the as/400 internally kind of stupid? Sure human error has come into play before when people mistype end* commands without checking F4 and bring down subsystems but I don't exactly call that hacking.
October 23rd, 2004, 03:12 PM
littlenick

a friend of mine used his father's credit card information to access a porn site(it was some two years ago)later his father found out that some one in iran used his credit card information to shop online.
the administrator of that site probably stored that credit card information in database and used it later on for shopping(i guess).
he probably never sent it for any processing or validation or even if he did he also saved it in his database.
i don't have the URL of that site coz i don't have any contact with him now.as far as using credit card info. on net is concerned how can anyone be sure that it will not be misused(or saved and later used illegally).
In many country's there is no law against using someone else's credit card info. for shopping.
as far as mobile banking and mobile reservation is concerned i don't think it is by any means secure(from a users point of view).
say i am told to send my credit card info by SMS to a number(say 8888)how can anyone be sure that no human will se that information.
there is no encryption involved data in SMS may be processed by humans or by software(or machines).
so by no means it can be secure.and hackers(social engineers)might get anather mathod of gaining ur banking info or credit card information as there is no law involved.
we can only talk about the need of a global cyber law and a global athority to enforce that law but in present situation we have to face it.
i don't think this mobile business(usage of credit card to reserve your ticket) is an attractive idea(from a user's point of view to who security is of atmost concern).
and surely it is a attractive idea to pplz who don't think twice before using there credit card information on net or for that matter on mobile devices.
the question is simple what should be done in order to make this ticket reservation system as secure as possible coz we want to be honest with ourself(it is our graduation project also a live project).
there are two options(again)
1- force users to send there credit card information in SMS each time they want to secure a seat.
2-save there credit card information in our database in encrypted form and allot them a pin(which they send in SMS to reserve a seat

both mathods have security risk involved but personally i can't think of any other mathod.
October 23rd, 2004, 05:37 PM
slarty

Re: credit card information processing

Quote:

Originally posted here by littlenick

the question is can a perticular web site store users credit card info in its database?

They can and do.

Quote:

I mean is there any law about it?

That is probably locality-specific.

Quote:

If not then can that site claim to be secure ?
i mean if credit card information is stored in there database then they can't be secure can they?

It is reasonable for customers of a site which collects credit card information to assume that the site has adequate security against any security compromise. A security compromise would allow an attacker to collect CC numbers, whether they are stored in a database or not.

Quote:

And if i am right what changes can be made in this project?

Many payment service providers allow you to use an API to make repeat purchases from a card without needing to store its details in your own database. In fact, they do this by storing the CC details on your behalf.

Ask your PSP whether they support this feature and integrate with it. Then you can do what your want without storing the details.

Slarty