homepage Welcome to WebmasterWorld Guest from 54.198.42.105
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

This 39 message thread spans 2 pages: < < 39 ( 1 [2]     
Emailing credit card info
In a bit of a quandary
jenkers




msg:3395012
 10:01 am on Jul 15, 2007 (gmt 0)

Hi all,
I'm in a bit of a quandary and was hoping for some advice.
I'm based in the UK and have a meeting this week with a merchants who wants an ecommerce site building.

I discussed their requirements very briefly over the phone prior to making the appointment to scope the project out properly.

When I asked about payment methods, merchant account with the bank etc, this prospective customer was adamant that they did not want to use any online payment system but wanted the credit card details emailed to them from the checkout.

I pointed out that this really wasn't a secure method and that they would be liable for loss of any credit card data - but that didn't bother them and they were happy to take the risk as all their pc's etc are password protected.

I supply the hosting with all of the sites I build, and this covers email etc.

What I'm worried about is - am I liable in any way? I'm a reseller for hosting, I have no idea who may and who may not be able to access their email accounts etc.

Professionally speaking - I don't think they should accept people's data in this way. I certainly wouldn't want my credit card data sitting in logs on mailservers, people's pc's etc.

But, is it up to me to tell them what to do. Obviously I'd ike to take the work but....

Anyone been in a similar situation? If so, what did you do? Am I better of leaving alone or should I just shut up and do the job?

 

RailMan




msg:3397904
 8:21 am on Jul 18, 2007 (gmt 0)

i'd really like to see cc companies taking action against biz owners who don't take security seriously - the systems are in place to protect cardholders and merchants - it's just up to merchants to implement the systems - and it's not difficult or expensive

well done jenkers on saying no

jenkers




msg:3397995
 11:40 am on Jul 18, 2007 (gmt 0)

just thought I'd add an update.

I've spoken again to the merchant today and have convinced them (it seems) that Google checkout is a viable and safe option that won't cost them an arm and a leg.

ytswy




msg:3398297
 4:47 pm on Jul 18, 2007 (gmt 0)

i'd really like to see cc companies taking action against biz owners who don't take security seriously - the systems are in place to protect cardholders and merchants - it's just up to merchants to implement the systems - and it's not difficult or expensive

I'm actually getting the feeling (as a small UK merchant that does currently take payment details on our own server) that the writing is on the wall about this, and we are looking at moving to an online processor for this reason.

@jenkers: moral high-ground and the contract by the sound of it, you can't ask better than that :) Bet they respect you more now as well..

justgowithit




msg:3398505
 8:26 pm on Jul 18, 2007 (gmt 0)

i'd really like to see cc companies taking action against biz owners who don't take security seriously

They do.

Corey Bryant




msg:3399168
 3:50 pm on Jul 19, 2007 (gmt 0)

Google could be good, but they actually allowed their PCI compliance expire back in February

-Corey

websatchmo




msg:3400307
 7:45 pm on Jul 20, 2007 (gmt 0)

I wouldn't figure it is your problem. But why not suggest an encryption where you encrypt the data, and only they have the key to decrypt the strings. That way its still secure, even in an unsecure email.

Demaestro




msg:3400374
 9:18 pm on Jul 20, 2007 (gmt 0)

I wouldn't figure it is your problem. But why not suggest an encryption where you encrypt the data, and only they have the key to decrypt the strings. That way its still secure, even in an unsecure email.

Well besides being a reason for you to loose your merchant account and making yourself liable for millions of dollars in fraud recouping fees..... here are a few reasons off the top of my head.

Only they? They being who? Someone getting $5.00 an hour to process Credit Card transactions? Sounds safe.

What variables are being filled with the CC number in code before being encrypted? Are any left in memory? What about the encryption algorithm? Where does that live? Is it safe? Can it be touched from the outside to send an extra email in the background that isn't encrypted?

So the key/salt lives on only one computer? Or many? Where are these computers stored? Who else has access to them? Is there a contract cleaning crew coming through the office? Have the backgrounds of their employees been checked? Is this computer on a network?

What is the policy for storing these emails and deleting them? Are they being backed up by some archiving process on the mail server?

What steps happen to the email that gets delivered to the mail server before reaching a end users computer?

Why can't people wrap their head around how much is at stake with someone else's credit card information?

Be safe... do things right... don't try to be clever about security unless you are in fact an expert. Hash encryption has a place but it isn't for emailing credit card information. Leave this to professionals.

[edited by: Demaestro at 9:23 pm (utc) on July 20, 2007]

rocknbil




msg:3400907
 5:54 pm on Jul 21, 2007 (gmt 0)

See previous post about GPG/PGP encryption, it is extremely secure but requires more "work" for a client to retrieve the info than a secure CC processing system, so anyone wanting to email CC info most likely wouldn't go for this.

Additionally, it is still unacceptable by merchant providers.

GaryK




msg:3400977
 8:01 pm on Jul 21, 2007 (gmt 0)

but requires more "work" for a client to retrieve the info than a secure CC processing system

There are quite a few security gateways on the market today. Most of them handle things like decryption of e-mail at the gateway. The decryption process would be transparent to the person processing the order.

Note: I am not endorsing this method. Just pointing it out as a somewhat secure and easy workaround.

To me it's not worth risking the loss of a merchant account just so I can be stingy about security and in the process open myself to more legal exposure from aggrieved [former] customers.

This 39 message thread spans 2 pages: < < 39 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved