On Wed, May 3, 2006 5:15 pm, Chris W. Parker wrote: > Steve <mailto:email.weblists@xxxxxxxxx> > on Friday, April 21, 2006 5:58 PM said: > >> So everyone's aware, I have NO intention of storing credit card #'s. >> I >> don't see why anyone needs to.. especially after reading Richard's >> past posts in the archive. > > Perhaps if you don't use a merchant account and process all your cards > in house instead?? We keep the cc numbers stored until the card has > * But if we did get a lot of orders I would reconsider even the > current > implementation and decided whether or not it was suitable. In fact I'm > going to be redoing the entire thing coming up soon so this is good. Contact the bank with which you already HAVE a merchant account for your point-of-sale credit card swiper thingies. You're already working with them, paying them good money for essentially the "same" services. Almost-for-sure they would be happy to provide you with on-line merchant account for not too much more than you already pay them. If not, I'm guessing that their competitors WILL do a package deal of on-line and POS merchant account, for the same price you're paying now, to lure you away from your current bank. If you're re-doing it anyway, you might as well do it right. :-) Because, frankly, the way you are doing it now is just not an acceptable risk... Who has access to the computer which is used to get the admin data? How long do you think it would take a disgruntled employee or even a customer to add a key-stroke monitor application to that computer, and come back a week later to steal your login? Game Over. Is that computer "on" the Internet? Even the BEST virus-protection software is "reactive" rather than "proactive" for the most part. How long before some virus infects it and that virus snoops on your login? Game Over. You're using SSL for all the admin pages, right? If not, Game Over. How do you transfer data from that screen to the POS device? Is it only in the admin user head, with the computer right next to the POS, or does he write them down and/or print them out? If the CC#s go onto paper, it's Game Over. I don't care if you shred the paper after -- what about the hold sideways pencil rubbing on the next sheet trick? Obviously you gave this some thought and are minimizing your risk to what you think is an acceptable level. But if those 5 "current" numbers do leak out, I do believe you are required by law to inform ALL your customers that you leaked CC numbers. Are you prepared to send out that mail? If you're really prepared for this, sit down and write that mail, and have it on file, as a "contingency" plan. You'll need it in an awful big hurry if you ever do need it. If you can't bring yourself to write that letter as a "contingency" then you're not really prepared to accept your current Risk. :-) Believe me, I know where you're coming from. I *ALMOST* did the same thing you are doing for a tiny store that already has POS, because I had the owner on my back every day for months "wanting" this, and they didn't want to spend $$$ on the on-line merchant account. Thank [deity] others on this list educated me about all the ways this can go wrong. I've maybe hit 10% in this email. I started describing these things to the store owner. After the blood came back to his face, he realized just how badly he did NOT want me to do this the wrong way. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
