[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date ][Interchange by thread ]

Re: [ic] How to get Credit Card # in admin

To: interchange-users@lists.akopia.com
Subject: Re: [ic] How to get Credit Card # in admin
From: Mike Heins <mikeh@minivend.com>
Date: Thu, 5 Apr 2001 14:02:07 -0400
In-Reply-To: <3ACCAAD5.B7B75E9C@nleaudio.com>
List-Id: Interchange Users (high volume) <interchange-users.lists.akopia.com>
References: <200104051308.JAA15322@mail.minivend.com> <3ACCAAD5.B7B75E9C@nleaudio.com>
Reply-To: interchange-users@lists.akopia.com
Sender: interchange-users-admin@lists.akopia.com

Quoting Bob Puff@NLE (bob@nleaudio.com):
> > Not so. What happens when your system gets cracked? Credit card numbers are
> > there for the taking.
> 
> If the system gets cracked, credit card numbers are there for the taking even
> if it's not in the admin.  As was stated before, there are a few files that
> store the credit card number, that anyone with root access can easily find.
> Just have a look in the ORDERS directory.  Plain text credit card numbers.

That is prior to using the recommended encryption. Before your store
goes live, you should set the main route encrypt_program to a good value:

  Route main encrypt_program "gpg -r you@yours.com -e -a --always-trust --batch"

or remove mv_credit_card_info from the etc/report file.

It is a difficult situation when distributing a program. If I remove
[value mv_credit_card_info] from the output, then we will get a slew of
questions about "where is the credit card info". If we set things up to
require GPG by default, then that makes things very difficult for testing.

I should probably remove the individual_track and track setting from the
default route, or set behavior when encrypt_program=null to say "CREDIT
CARD INFO REMOVED SINCE NOT ENCRYPTED". That second is better, I think,
and I will do it. We will have to live with the inevitable questions,
though I think it will be better now that GPG and PGP is in wide use.

Bottom line is, before enabling a catalog to go live, you should obtain
and set up GPG and set up for encryption as is recommended in the docs
and FAQ.

Thinking about it, maybe I will set the demo to be:

    Variable  ENCRYPTOR        echo Encryption not enabled yet. 
    EncryptProgram             __ENCRYPTOR__
    Route main encrypt_program "__ENCRYPTOR__"

That should tell people what is going on, yet not cause encryption
errors in the checkout process. That is the ticket.

I may not always seem like it, but I am grateful for all the feedback
and ideas I get from all of you. Thanks, Bob.

-- 
Red Hat, Inc., 131 Willow Lane, Floor 2, Oxford, OH  45056
phone +1.513.523.7621 fax 7501 <mheins@redhat.com>

Fast, reliable, cheap.  Pick two and we'll talk.  -- unknown

_______________________________________________
Interchange-users mailing list
Interchange-users@lists.akopia.com
http://lists.akopia.com/mailman/listinfo/interchange-users

Follow-Ups:
- Re: [ic] How to get Credit Card # in admin
  - From: Ed LaFrance <edl@newmediaems.com>

References:
- Re: [ic] How to get Credit Card # in admin
  - From: "Bob Puff@NLE" <bob@nleaudio.com>

Prev by Date: [ic] Still Problems with Netscape
Next by Date: Re: [ic] Still Problems with Netscape
Prev by thread: Re: [ic] How to get Credit Card # in admin
Next by thread: Re: [ic] How to get Credit Card # in admin
Index(es):
- Date
- Thread