[lug] Letting folks pay from the web.

[Bear Giles]

Lee Woodworth wrote:
> Is this for the spring Moonfest and how soon do you need to have it up? Getting
> the account and the cert might be a week _if_ things go well. Creating custom pages
> for the event that are actually secure (SSL != secure, it takes more than that)
> could take time. For instance making sure that you don't double charge when when
> somebody does a browser refresh is important.
>
> You need a durable data store to track your records -- what happens if the hardware
> goes down? How do you know what charges were approved, etc? This is not something
> where a hobby-level setup is OK.
My employer verifies companies adhere to the standards required by the 
credit card companies.  Those standards are very high.  For everyone.  
It doesn't matter if you only handle a few dozen transactions per year.  
Your risk exposure might seem trivial but it's not since you could still 
easily have available credit in the hundreds of thousands of dollars 
range among those cards.

Keep that in mind.  You flat-out must not retain some information after 
authentication.  Other information can be retained, e.g., for periodic 
charges, but you'll need to encrypt it somehow.  AES encryption isn't 
hard but key management is.  A lot of sites just use a strong hash of 
the credit card number and require the customer to provide the original 
credit card before returns.

BTW you can find some information videos on YouTube on this.  IIRC the 
average cost after a credit card breach is in the 100k-150k range, 
enough that many small businesses have to close.  The reason why is that 
there are 4 risk categories and a breach automatically puts you in 
category 1 - the level required of merchants with millions of 
transactions per year.  That requires physical audits of your 
facilities, real-time monitoring of your logs, etc.  It doesn't matter 
how small your organization is.

Bear