On Tue, Jun 22, 2010 at 8:41 AM, Scott Stroz <[email protected]> wrote:
> My question is, I know the credit card information this guy's > customers are supplying to him is not secure, do I have an ethical > obligation to report him? > No, but you might have wanted to change your quote though ;-) Everyone has to get in compliance this year anyway so reporting is kinda mute, he has to do it regardless. 1. Loop over existing cards and encrypt 2. Delete CVV number, most payment API's don't even require it anyway. 3. Change scripts to decrypt or encrypt when needed. 4. Done There could be some additional areas of interest like who can see credit cards in an administration interface, but it's fairly simple for these items above. I have not seen anything that says you can't store data in a shared DB, although of course it should be encrypted and you are not allowed to store the CVV number. Everything else is related to the firewall and other sections about who has access to the DB, card data and like that may not even fall into your portion of the project. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-community/message.cfm/messageid:321652 Subscription: http://www.houseoffusion.com/groups/cf-community/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-community/unsubscribe.cfm
