Re: Re: Storing Credit Cards, Passwords, Securely, two-wayencryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"Peter Beckman" <beckman@xxxxxxxxxxxxx> wrote in message 
news:20060106235409.B8551@xxxxxxxxxxxxxxxxxxxx
> On Fri, 6 Jan 2006, Dan Baker wrote:
>
>> "Peter Beckman" <beckman@xxxxxxxxxxxxx> wrote in message
>> news:20060105202254.X8551@xxxxxxxxxxxxxxxxxxxx
>>> So I'm thinking about how to save credit card numbers in the DB, for
>>> re-charging cards for subscriptions, new orders, etc.
>>>
>>> I'm also thinking about how to save passwords in the DB, not plaintext,
>>> but
>>> not one-way encrypted either.
>>>
>>> Any suggestions?  How would I secure the database?  I'm thinking some
>>> abstract process in code, or something -- security through obscurity.
>>
>> [Summary: Call Verisign, pay THEM to store credit cards for you]
>
>  What, exactly, does VeriSign do, that makes you so sure that they have
>  secured the credit card information any better than I could, using a
>  well-thought-out system?  Do you even know?  You just hear "VeriSign" and
>  believe they have smart people that have more resources available to them
>  to do a better job securing the data?
>
>  Maybe this makes sense if you are doing a few hundred or a few thousand
>  dollars of business a month, but if you are planning on doing $5,000 to
>  $10,000 a day, it is a lot of added expense to have someone else do it,
>  when I could have it done internally.  It is the how.
>
>  Please, no more replies saying don't do it.

VeriSign (and other similar organizations) have pro's and con's.  Obviously, 
the con's are usually tied to the big $.
VeriSign costs $70/month (for the first 1000 transactions per month).  My 
company is in the 1000 transaction per month range, but I think each 
transaction after that is $0.10.  BTW, VeriSign was just bought by PayPal.

You have to pay every credit card company you do business with, no mater 
what solution to select.  Usually a % of the total charges.  If you do 
enough business per card, your % drops.  Also, if you don't include enough 
information with each transaction, your % will be increased.  The most 
important information you need to include is: billing address and billing 
zip code -- most credit card company's won't increase your % if you provide 
these two pieces of information per transaction. CSC's (CVV2) are usually 
not tied to your % payment, and it is illegal to store them.

You ask: "What exactly does VeriSign do?"  I don't know.  I pay them $70 
each month, and they process my credit cards.  I know they have been in the 
business a long time, and experience means a lot (to me).  Some how, I can 
re-run a charge on an already-run credit card, and they magically know all 
the information for that credit card (including the CSC).  We sell a service 
that people pay monthly for, and we make up the $70 to VeriSign in reduced 
%.

You mentioned that it "makes sense if you are doing a few hundred dollars a 
month".  This seems backward to me.  It is too expensive if you only doing a 
few hundred dollars a month.  The $70 a month disappears as you do *more* 
business.  If you are doing $10,000 a day, you need to call each credit card 
company you do business with (Amex, Discover) and ask for a "Rate Review". 
They will surely drop their % if you are doing that kind of volume.  We just 
had a rate review with Amex, and our rate dropped significantly.

Oh --- You also need to check on your merchant account.  They usually hit 
you per transaction.  This is were the $ can start to add up!  Your merchant 
account may also be handing your Visa/MC transactions, and taking a % of 
those -- so ask for a rate review from them also.

And last of all, I know of a pretty large company that uses a service 
similar to VeriSign.  This other service (can't remember the name) didn't 
provide the "PNRef" scenario, so the company stores credit card numbers in 
their database (encrypted of course), and they just run the numbers every 
month for their service.  Seems to be working ok for them.  I don't know who 
wrote their software, what encryption they are using, where the data is 
stored, how it is backed up -- I guess I don't know anything except they are 
storing credit card numbers and are currently doing a good business.  Funny, 
they are still paying for a similar service to VeriSign.

DanB

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux