Welcome to WebmasterWorld Guest from 50.16.112.199

Forum Moderators: buckworks

Emailing credit card info

In a bit of a quandary

   
10:01 am on Jul 15, 2007 (gmt 0)

10+ Year Member



Hi all,
I'm in a bit of a quandary and was hoping for some advice.
I'm based in the UK and have a meeting this week with a merchants who wants an ecommerce site building.

I discussed their requirements very briefly over the phone prior to making the appointment to scope the project out properly.

When I asked about payment methods, merchant account with the bank etc, this prospective customer was adamant that they did not want to use any online payment system but wanted the credit card details emailed to them from the checkout.

I pointed out that this really wasn't a secure method and that they would be liable for loss of any credit card data - but that didn't bother them and they were happy to take the risk as all their pc's etc are password protected.

I supply the hosting with all of the sites I build, and this covers email etc.

What I'm worried about is - am I liable in any way? I'm a reseller for hosting, I have no idea who may and who may not be able to access their email accounts etc.

Professionally speaking - I don't think they should accept people's data in this way. I certainly wouldn't want my credit card data sitting in logs on mailservers, people's pc's etc.

But, is it up to me to tell them what to do. Obviously I'd ike to take the work but....

Anyone been in a similar situation? If so, what did you do? Am I better of leaving alone or should I just shut up and do the job?

8:21 am on Jul 18, 2007 (gmt 0)

10+ Year Member



i'd really like to see cc companies taking action against biz owners who don't take security seriously - the systems are in place to protect cardholders and merchants - it's just up to merchants to implement the systems - and it's not difficult or expensive

well done jenkers on saying no

11:40 am on Jul 18, 2007 (gmt 0)

10+ Year Member



just thought I'd add an update.

I've spoken again to the merchant today and have convinced them (it seems) that Google checkout is a viable and safe option that won't cost them an arm and a leg.

4:47 pm on Jul 18, 2007 (gmt 0)

10+ Year Member



i'd really like to see cc companies taking action against biz owners who don't take security seriously - the systems are in place to protect cardholders and merchants - it's just up to merchants to implement the systems - and it's not difficult or expensive

I'm actually getting the feeling (as a small UK merchant that does currently take payment details on our own server) that the writing is on the wall about this, and we are looking at moving to an online processor for this reason.

@jenkers: moral high-ground and the contract by the sound of it, you can't ask better than that :) Bet they respect you more now as well..

8:26 pm on Jul 18, 2007 (gmt 0)

10+ Year Member



i'd really like to see cc companies taking action against biz owners who don't take security seriously

They do.

3:50 pm on Jul 19, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Google could be good, but they actually allowed their PCI compliance expire back in February

-Corey

7:45 pm on Jul 20, 2007 (gmt 0)

5+ Year Member



I wouldn't figure it is your problem. But why not suggest an encryption where you encrypt the data, and only they have the key to decrypt the strings. That way its still secure, even in an unsecure email.
9:18 pm on Jul 20, 2007 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I wouldn't figure it is your problem. But why not suggest an encryption where you encrypt the data, and only they have the key to decrypt the strings. That way its still secure, even in an unsecure email.

Well besides being a reason for you to loose your merchant account and making yourself liable for millions of dollars in fraud recouping fees..... here are a few reasons off the top of my head.

Only they? They being who? Someone getting $5.00 an hour to process Credit Card transactions? Sounds safe.

What variables are being filled with the CC number in code before being encrypted? Are any left in memory? What about the encryption algorithm? Where does that live? Is it safe? Can it be touched from the outside to send an extra email in the background that isn't encrypted?

So the key/salt lives on only one computer? Or many? Where are these computers stored? Who else has access to them? Is there a contract cleaning crew coming through the office? Have the backgrounds of their employees been checked? Is this computer on a network?

What is the policy for storing these emails and deleting them? Are they being backed up by some archiving process on the mail server?

What steps happen to the email that gets delivered to the mail server before reaching a end users computer?

Why can't people wrap their head around how much is at stake with someone else's credit card information?

Be safe... do things right... don't try to be clever about security unless you are in fact an expert. Hash encryption has a place but it isn't for emailing credit card information. Leave this to professionals.

[edited by: Demaestro at 9:23 pm (utc) on July 20, 2007]

5:54 pm on Jul 21, 2007 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



See previous post about GPG/PGP encryption, it is extremely secure but requires more "work" for a client to retrieve the info than a secure CC processing system, so anyone wanting to email CC info most likely wouldn't go for this.

Additionally, it is still unacceptable by merchant providers.

8:01 pm on Jul 21, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



but requires more "work" for a client to retrieve the info than a secure CC processing system

There are quite a few security gateways on the market today. Most of them handle things like decryption of e-mail at the gateway. The decryption process would be transparent to the person processing the order.

Note: I am not endorsing this method. Just pointing it out as a somewhat secure and easy workaround.

To me it's not worth risking the loss of a merchant account just so I can be stingy about security and in the process open myself to more legal exposure from aggrieved [former] customers.

This 39 message thread spans 2 pages: 39
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month