[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: Encrypting entire order file

To: minivend-users@minivend.com
Subject: Re: Encrypting entire order file
From: mikeh@minivend.com
Date: Tue, 2 Mar 1999 13:07:03 -0500
In-Reply-To: <Pine.LNX.3.96.990302115435.6725C-100000@rosy.yourwebhost.com>; from Erik Aase-Remedios on Tue, Mar 02, 1999 at 11:59:55AM -0500
References: <Pine.OSF.3.95.990302100016.4267A-100000@josephus.furph.com> <Pine.LNX.3.96.990302115435.6725C-100000@rosy.yourwebhost.com>
Reply-To: minivend-users@minivend.com
Sender: owner-minivend-users@minivend.com

******    message to minivend-users from mikeh@minivend.com     ******

Quoting Erik Aase-Remedios (erik@fourfish.com):
> 
> Larry,
> 
> I like the simplicity of your solution, as I had tried to encrypt the
> whole order (using PGP/MIME) with no success myself.
> 
> Won't this leave a security exposure?  As I understand minivend, it uses
> EncryptProgram to encrypt the CC as soon as it receives it.  Then when the
> order gets built it just includes the encrypted ccinfo. 
> 
> Doesn't your solution mean that the ccinfo will be unencrypted in the
> session db?
> 

Yes, in the normal state of affares.

I recommend:

CreditCardAuto No
PGP            1
EncryptProgram pgp -fat -r ....whatever

Then put [cgi mv_credit_card_number] in your report as the
credit card number stuff. If you want to do the LUHN-10
checking, you can use:

[if base=validcc
		term="[calc]
			my $tmp = q{[cgi mv_credit_card_number]};
			$tmp =~ m/(\d)/;
			$type = $1;
			$type eq '4' and return $card = 'visa';
			$type eq '5' and return $card = 'mc';
			$type eq '3' and return $card = 'amex';
			$type eq '6' and return $card = 'discover';
			$card = '';
			[/calc]"
        op="[calc]
			my $cc = q{[cgi mv_credit_card_number]};
			$cc =~ s/\D//g;
			return $cc;
			[/calc]"
        compare="[cgi mv_credit_card_exp_month]/[cgi mv_credit_card_exp_year]"
]
LUHN-10 is OK
[else]Bad LUHN-10[/else]
[/if]

Or you can try order routes (Route directive), which should be
fairly well documented (within my ability to well-document something) 8-)
in the latest beta. This allows an unlimited number of encryption keys,
email addresses, and order reports.

-- 
Mike Heins                          http://www.minivend.com/  ___ 
                                    Internet Robotics        |_ _|____
                                    131 Willow Lane, Floor 2  | ||  _ \
It's a little-known fact            Oxford, OH  45056         | || |_) |
that the Y1K problem caused         <mikeh@minivend.com>     |___|  _ <
the Dark Ages. -- unknown           513.523.7621 FAX 7501        |_| \_\
-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list

References:
- Re: Encrypting entire order file
  - From: Larry Leszczynski <larryl@furph.com>
- Re: Encrypting entire order file
  - From: Erik Aase-Remedios <erik@fourfish.com>

Prev by Date: Re: Error: &final=no, but mv_successpage is set - Correction
Next by Date: RE: shipping, no of packages etc..
Prev by thread: Re: Encrypting entire order file
Next by thread: Re: Encrypting entire order file
Index(es):
- Date
- Thread