Re: https and Credit Cards

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Apr 13, 2009 at 10:19:34PM -0500, Skip Evans wrote:

> Hey all,
>
> I've always put any forms that collect credit card information
> behind a secure connection, https, figuring that sending that
> information from the client browser to the server should be
> secure, but I'm having convincing a client that it is necessary.
>
> He instead insists that only the call to the credit card
> processor's server needs to be secure and of course the
> processor supplies the connection there.
>
> But doesn't also the form need to be secure since you're
> sending CC information from that form back to the web site's
> server?
>
> That's what I've always assumed.
>
> I need some opinions on this, and if I'm right I think the
> client will defer to a few more votes.

You're absolutely right, no question, and for exactly the reasons you
give. The path back to the server from the client is unencrypted if you
don't use https, and the credit card information is in the clear when
transmitted.

In fact, if I were a hacker and found out that you were doing this, I'd
make it my business to hijack that connection so I could transparently
capture credit card information. I mean, for a hacker, that's just too
sweet a setup.

Incidentally, if he insists, I'd decline the job. Even if he signed
waiver after waiver to absolve you of responsibility (which I'd make him
sign), he could still go after you later when the consequences hit. Let
some less ethical coder do it the way he wants.

Paul

-- 
Paul M. Foster

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux