ssl and sending email with pdf attachments with cc numbers

Forum Moderators: buckworks

Message Too Old, No Replies

ssl and sending email with pdf attachments with cc numbers

drooh

5:30 pm on Jun 9, 2010 (gmt 0)

Client wants users to submit form with Credit card details and have that send an email with pdf attached containing the sensitive data.

we are getting the server set up with an SLL and dedicated IP however Im wondering what the best way to go about this would be? They do not want to process the transaction online, they want it accessible to them.

Im wondering if its a security issue to send them in the email in the pdf. Or would it be better to encrypt them and store them in a DB?

Any thoughts?

Demaestro

5:55 pm on Jun 9, 2010 (gmt 0)

First thought is it is 99% likely that this violates whatever merchant agreement your client has with their bank.

If fraud happens on a card and they find out you emailed that card number, regardless if that was the way the thief got the number they can be held liable.

I flat out refuse to code logic that emails credit card numbers. There is always a better way.

To answer your question, yes, it is a huge security issue.

drooh

6:22 pm on Jun 9, 2010 (gmt 0)

Ok, that is what i was thinking (hence why i was posting)

So then if emailing sensitive data is out of the question. What about storing that info encrypted in a mysql database?

topr8

6:55 pm on Jun 9, 2010 (gmt 0)

>>What about storing that info encrypted in a mysql database?

in order to do this you have to also pass the compliance tests that the credit card companies have.

additionally be aware that saving the security number from the signature strip to a database, encrypted or not will absolutely be in breech of the merchant agreement.

Demaestro

7:03 pm on Jun 9, 2010 (gmt 0)

The best method is to send the requests to a gateway, have them process the card. Make no copies, and just record first_4 last_4 if you want as an id but most gateways will assign you or allow you to assign an order id, with that order id you can refund, recharge, preauth. No need to store card numbers

What is the reason for wanting to store this data?

drooh

7:07 pm on Jun 9, 2010 (gmt 0)

They have contracts that may not activate until 6months or a year down the road. at that time they need to charge the card.

Is there any way to temp store the cc numbers that is legit?

Demaestro

7:21 pm on Jun 9, 2010 (gmt 0)

Is there any way to temp store the cc numbers that is legit?

There are but the compliance rules are stringent.

6months or a year down the road. at that time they need to charge the card.

A preauth would allow for this.

drooh

7:28 pm on Jun 9, 2010 (gmt 0)

what is a preauth and how does that work?