On Thu, April 14, 2005 1:57 pm, trlists@xxxxxxxxxx said: > On 14 Apr 2005 Chris Shiflett wrote: > >> When a user enters a credit card number, there may likely be a >> verification step before the actual purchase is made. It's better to >> keep this number on the server (in the session data store) than to >> unnecessarily expose it over the Internet again (SSL mitigates the risk, >> but an unnecessary risk is still worth avoiding). Hmmm. Seems to *me* that transmitting the CC# via SSL is more secure than $_SESSION data on a shared server. I guess on a dedicated server, it's a question of whether you trust your own box to not have any sneak users on it, versus SSL-sniffing and decrypting, and I'd *still* have to guess that SSL-sniffing/decrypting is less common than hacked servers. [shrug] But if Chris says I'm wrong, I must be wrong on that one. Frankly, if their CC# failed the validation check, I'd personally just tell them they typed it wrong, and give them a blank box again. They'll be too tempted to just try it again without looking at the numbers if you give it to them all filled in. You don't think they actually READ those error messages, do you? :-) If the client paying the bills won't accept that the empty box is "right", and you can't educate them out of their opinion, I guess you're stuck shuttling the CC# back and forth over SSL. > Re last four digits, I have notice that many sites seem to be going to > showing the last five or six, first four plus last four, etc. > Apparently people are finding that last four alone isn't sufficient for > users to recognize the card. As I understand it... The first four digits, in almost all instances, matches the BANK (card-issuer). Each BANK has, like, one or more ####-....-....-....-.... "series" and they exlusively control the cards within #### range. So if somebody uses, say, BankOne for both business and personal, the first four digits are pretty much guaranteed to be not all that useful to them. The odds on any given user having the same last four digits are pretty narrow. I suspect that in some cases, the choice of what to display is what comes back from the Merchant Account Server -- Just display whatever they think is kosher to send back to you. Seems like a reasonable action to me. After all, they are the ones actually storing/processing the cards, and they ought to be the ones who know what they are doing. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
