homepage Welcome to WebmasterWorld Guest from 54.163.72.86
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

    
Security issue with credit card orders
encryption of email with credit card info
Marcia




msg:646645
 12:22 am on Dec 13, 2000 (gmt 0)

I deal with a couple of different remote providers of credit card processing for clients. I have just found out that one of them sends email notification of orders to the clients that include not only the name, address and order of the purchaser, but also, their credit card information - the number included.

I feel that email like this should not be sent with sensitive information unless it's encrypted. It is now being sent without encryption. Am I correct? If so, I will make a change of provider on those sites.

How much risk does this represent?

TIA, Marcia

 

mnw




msg:646646
 1:43 am on Dec 13, 2000 (gmt 0)

Risk is in the eye of the holder of the credit card. I believe that it is a significant risk. Most of the e-commerce sites I deal with as a user send only the last 4 digits of the card. This gives me enough information to know what credit card I used but not enough to do anyone else any good. It is easier than encryption.

rcjordan




msg:646647
 2:21 am on Dec 13, 2000 (gmt 0)

I agree with mnw, it is a significant risk. I saw this security breech protested loudly in tech articles a couple of years ago and I'm surprised it's still out there. Frankly, I'd be concerned if anyone I ordered from did broadcast a card account number. I've seen some using 4-digits and then greek out the rest -I think that's OK.

Marcia




msg:646648
 2:47 am on Dec 13, 2000 (gmt 0)

The client hadn't told me because she "didn't want to bother me with every little thing." But she has had a couple of customers complain about it.

Yes, it's still happening. I just found out, and have written to the company that does the processing. I'm also planning on posting to the crafters' email list to see if anyone else is experiencing this with other providers.

Thanks much!

scott




msg:646649
 12:29 pm on Dec 13, 2000 (gmt 0)

I agree also. Marcia, can you give us a clue as to who the processor is so we can look out for it?

-Scott

GWJ




msg:646650
 3:59 pm on Dec 13, 2000 (gmt 0)

I would never take that risk. I feel that this is a HIGH security breach. If I got a confirmation e-mail to an order and it had my CC number in it I would cancel. It also brings up IMHO how secure is my CC in the sites DB. If they let the 1st thing slide how secure is the back end.

Just my 2 cents.

Brian

scott




msg:646651
 4:27 pm on Dec 13, 2000 (gmt 0)

Brian brings up a great point, and one I've often wondered about. Just how secure is your credit card processor's database and backend accounting software?

I've done enough research in encryption technology to know what it takes for a company to provide the right protection, but it's usually not something they promote very heavily. My guess is it's because the general public doesn't demand that much detail. That, and there's no need to go educating would-be hackers what method/software/etc. they use.

It all boils down to trust in the end. Trust is the cornerstone for all cc transactions anyway. It's where certificates to process are born from. Evaluate as much about the firm as you can and resolve to trust them until they give you a reason not to, I guess.

-Scott

tedster




msg:646652
 10:39 pm on Dec 13, 2000 (gmt 0)

>It all boils down to trust in the end.

Having spent several decades in retail, I say AMEN to that. For years our credit card numbers have been lying around in hardcopy form in the backrooms of many, many businesses, accessible to a lot of employees. Stolen numbers from the web are relativley rare, I understand.

I went shopping at a large office superstore recently. When they swiped my card, the full number showed on the register's LCD display for a few seconds, which was facing parking lot window. With a good lens on a video camera, a thief could get a bunch of numbers very quickly by filming the register area from his car.

I complained to the manager, and was told no on else ever complained. Now that's a sign of trust -- blind faith actually.

rcjordan




msg:646653
 2:07 am on Dec 14, 2000 (gmt 0)

>how secure is your credit card processor's database

Hacker posts 25,000 credit card numbers on web [usatoday.com] in extortion plot. (out of 55,000 stolen)

Other companies that have recently had credit card numbers obtained by hackers include:

CD Universe - about 300,000 credit card numbers

SalesGate.com -thousands

RealNames - 20,000 card numbers

Western Union- more than 15,000

Marcia




msg:646654
 2:22 am on Dec 14, 2000 (gmt 0)

Now that is scary! I wonder if it pays to have one of those internet-only bank accounts with a debit card attached, keeping only a limited amount of funds in it to use for internet purchases.

mnw




msg:646655
 2:32 am on Dec 14, 2000 (gmt 0)

What might be even better is American Express "Private Payments". From the AMEX site, as an explanation, not an ad :)

"Private Payments enables American Express Cardmembers to use an instantly generated, limited life, transaction number instead of a Cardmember's actual Card number to make purchases online. American Express is able to match this transaction number to your registered American Express Card, so that all Private Payments purchases are recorded and billed directly to your actual American Express Card account."

Has anyone used this?

rcjordan




msg:646656
 2:35 am on Dec 14, 2000 (gmt 0)

>Has anyone used this?

No but it sounds like at least a partial solution. I wonder how the cardholder goes about generating the unique transaction number at the time of purchase?

The RealNames one got me. No charges, but the bank made everyone get new accounts.

>limited amount of funds in it to use for internet purchases.

That's what I do for the business card I use with NetSol, etc. (Note: I do not believe business cards are protected by the $50 limit -you may have greater liability with them.)

As for my personal cards, I voluntarily change accounts every 2 years, just to break the trail of old info stored in databases.

GWJ




msg:646657
 12:52 pm on Dec 14, 2000 (gmt 0)

On our DB (online only ) we dump the CC number after 24 hours. We set it to 24 hour dump as when an order is placed the CC gateway does an auth. only (yes this is on purpose). We then check in every morning and review orders manually, this insures (or cuts back on) that bogus/fraud orders are weeded out. When we check in we verify AVS (address verification system) on the transaction. If no match/partial match we then call up card holders bank and manually verify.

AMX has a great system, I wholely back their plan (consumer confidence). Mastercard has just set a $0.00 dollar liability rate, good move (again read consumer confidence).

<rant>My problem is...who sides with the merchant. I have ranted on this before. "Non possension" chargebacks always make me cringe. However we have not had one since I secured some policies on orders(knock on wood).</rant>

Brian

rcjordan




msg:646658
 8:08 pm on Dec 14, 2000 (gmt 0)

MasterCard to issue smart cards in USA [usatoday.com]

''Aimed at online shopping'' but MC expects their use to expand to brick-and-mortar stores and other retailers as the technology spreads.

Marcia




msg:646659
 8:20 pm on Dec 14, 2000 (gmt 0)

Here is the response I received to the email I sent questioning this:

Marcia,
We used to do it that way but not anymore. When we had the old cart it would work that way, but with he new cart they get a copy of the order with no credit card details, then they go and use the browser and secure server to view everything. Totally secure.

With the orderform, an e-mail is sent to me then I log on to the server and get the info (in it's encrypted form, decrypt it and process it). Everything we do now is extremely secure.

If there is anyone getting the complete info then I would like to know who they are and rectify it. I thought I got them all.

One option the cart has is to break the card into two E-Mails and send it that way. Believe it or not that is also secure because the chances of intercepting both E-Mails is basically impossible. I leave that on the cart with the secure option just for a choice. Also, when I send out
confirmations there is no part of the Credit Card numbers shown (I personally hand delete them) and if anyone tells otherwise then I would like to talk with them. Hope this helps.

Based, on this response, I guess it pays to double-check which shopping cart is being used and how it's configured.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved