[lug] Letting folks pay from the web.
Bear Giles
bgiles at coyotesong.com
Mon Feb 1 04:54:49 MST 2010
Lee Woodworth wrote:
> Is this for the spring Moonfest and how soon do you need to have it up? Getting
> the account and the cert might be a week _if_ things go well. Creating custom pages
> for the event that are actually secure (SSL != secure, it takes more than that)
> could take time. For instance making sure that you don't double charge when when
> somebody does a browser refresh is important.
>
> You need a durable data store to track your records -- what happens if the hardware
> goes down? How do you know what charges were approved, etc? This is not something
> where a hobby-level setup is OK.
My employer verifies companies adhere to the standards required by the
credit card companies. Those standards are very high. For everyone.
It doesn't matter if you only handle a few dozen transactions per year.
Your risk exposure might seem trivial but it's not since you could still
easily have available credit in the hundreds of thousands of dollars
range among those cards.
Keep that in mind. You flat-out must not retain some information after
authentication. Other information can be retained, e.g., for periodic
charges, but you'll need to encrypt it somehow. AES encryption isn't
hard but key management is. A lot of sites just use a strong hash of
the credit card number and require the customer to provide the original
credit card before returns.
BTW you can find some information videos on YouTube on this. IIRC the
average cost after a credit card breach is in the 100k-150k range,
enough that many small businesses have to close. The reason why is that
there are 4 risk categories and a breach automatically puts you in
category 1 - the level required of merchants with millions of
transactions per year. That requires physical audits of your
facilities, real-time monitoring of your logs, etc. It doesn't matter
how small your organization is.
Bear
More information about the LUG
mailing list