I would suggest that you talk with him first. Emphasize how much he would be liable for if there is a breach. And give him the option. If he hasn't done anything about it after a while (about a couple of days lets say) then report him.
larry On Tue, Jun 22, 2010 at 8:41 AM, Scott Stroz <[email protected]> wrote: > > Last week, I was contacted by someone to update the payment processing > on their e-commerce site. The reason for the update is that the site > is not PCI compliant. > > I spoke with the client for a while to get an idea of what was really > needed/wanted and quoted him a price. I will admit I padded the quote > quite a bit since I was going to be diving into someone else's code. I > have been bitten by this before and it has costs me a lot of money. > > I started getting everything set up locally and noticed that not only > was this person storing credit card numbers and the 3 digit security > code in the DB, but the DB was on a shared host. > > He sends me an email late Friday afternoon asking me to not start > working as it will cost more than he wants to pay (I had already put > in a few hours which he already said he will nto pay me for). > > My question is, I know the credit card information this guy's > customers are supplying to him is not secure, do I have an ethical > obligation to report him? > > -- > Scott Stroz > --------------- > You can make things happen, you can watch things happen or you can > wonder what the f*&k happened. - Cpt. Phil Harris > > http://xkcd.com/386/ > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-community/message.cfm/messageid:321655 Subscription: http://www.houseoffusion.com/groups/cf-community/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-community/unsubscribe.cfm
