[ic] How to get Credit Card # in admin
Jim Balcom
jim@idk-enterprises.com
Thu, 5 Apr 2001 10:03:14 -0400
> On Thu, Apr 05, 2001 at 07:57:18AM -0400, Mike Heins wrote:
> > Quoting Bob Puff@NLE (bob@nleaudio.com):
> > > Hi Gang,
> > >
> > > Tonight I was trying to get the credit card info to appear in the
admin page
> > > for orders.
> Mike and I disagree on credit cards. Me, I think they exist specifically
> to enable commerce in untrusted environments. There is only incidental
> liability to the shopper.
>
> 90% of security breaches are internal. Of the remaining 10%, 90% are
> system failures. Then we can start talking about criminal intent, where
> the secure server/encryption comes in. Your concept of "secure server"
> is ***way*** off base. Think about the whole process as a security
> issue. If your clients are unable to process PGP mail and have to pick
> up orders in the clear manually, there is no security; client data and
> order integrity are likely going to be bigger issues than credit cards.
> Charge them more and train them.
There is also the case where the administrator is sitting at the console for
the server, or on a LAN connected to the server.
In my case, all administration is being done either at the console of the
Linux box, or across the internal LAN to a Windows 95 box. Once the data is
transferred to the Win95 box - where the POS is located - the order
information is removed from the Linux box. Since the Win95 box is not set up
as a server, theft of that data would have to be someone who is actually on
the premisies.
The longest that a credit card number sits on the server in my case is 14
hours - max, and that's if they enter the order right after we close and it
doesn't get transferred until the next morning.
-= Jim =-