[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: [Fwd: FW: Shopping Carts exposing CC data]

To: minivend-users@minivend.com
Subject: Re: [Fwd: FW: Shopping Carts exposing CC data]
From: mikeh@minivend.com
Date: Tue, 20 Apr 1999 17:51:04 -0400
In-Reply-To: <371CD55E.942838E6@lazarus.ca>; from Steve Cockwell on Tue, Apr 20, 1999 at 03:28:30PM -0400
References: <371CD55E.942838E6@lazarus.ca>
Reply-To: minivend-users@minivend.com
Sender: owner-minivend-users@minivend.com

******    message to minivend-users from mikeh@minivend.com     ******

Quoting Steve Cockwell (stevec@sierra.lazarus.ca):
> 
> I received this today, but haven't yet investigated it further - I
> thought the people on this list might find it interesting.  I doubt that
> minivend would be included in this list (knowing what little I do about
> how it handles CC Info) but maybe Mike could make some sort of official
> comment about how secure CC info is in Minivend, and what a stupid
> person would need to do to make CCs world readable... :-)

Here is my official statement:

    --  The recommended configuration of MiniVend does not save
        unencrypted credit card data to disk.

    --  The recommended configuration of MiniVend does not place
        files in position to be directly attached to the Internet
        via HTTP.

    --  The recommended configuration of MiniVend makes files
        non-world-readable.

In the 3+ years of MiniVend's SSL compatibility, I have never heard of a
properly-setup system losing credit card info. User names and addresses,
yes. I myself have picked up the remnants of several hacked systems and
seen where the user data was transferred off. But all credit card data
was individually encrypted with PGP when saved to disk.

The only problems are where people don't use the available CyberCash-style
payment interfaces or PGP encryption. That is why I literally refuse
to set up systems without it; if I am told that a non-firewalled system
will have en clair credit cards saved to files as a standard procedure
I will immediately stop all consulting work.

I do have an FAQ about this. I refuse to guarantee security, of
course, because as CFM said, users can blow it. But if you follow the
recommendations in the documentation CC numbers should be as secure as
your system, if not more so.

I believe that we, as system designers, have a responsibility to the
users who use our systems. I see that responsibility as taking care of
their data like it was my own.

-- 
Mike Heins                          http://www.minivend.com/  ___ 
                                    Internet Robotics        |_ _|____
Fast, reliable, cheap.              131 Willow Lane, Floor 2  | ||  _ \
Pick two and we'll talk.            Oxford, OH  45056         | || |_) |
 -- unknown                         <mikeh@minivend.com>     |___|  _ <
                                    513.523.7621 FAX 7501        |_| \_\
-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list

References:
- [Fwd: FW: Shopping Carts exposing CC data]
  - From: Steve Cockwell <stevec@sierra.lazarus.ca>

Prev by Date: MV312, Solaris, GDBM
Next by Date: Re: MV3.12: Do I NEED MySQL?
Prev by thread: Re: [Fwd: FW: Shopping Carts exposing CC data]
Next by thread: Re: [Fwd: FW: Shopping Carts exposing CC data]
Index(es):
- Date
- Thread