My response is mixed in below...
>*Assuming* you are shipping product immediately, or you are selling
>something intangible like memberships that needs no shipping delay, then
>you can settle immediately as well. Otherwise I'm pretty sure you are
>bound ethically -- and probably legally in at least some areas -- to
>auth at time of sale and settle at time of shipment.
Yeah this is what I thought, just wanted to ask the question though as I
know others are collecting up front and shipping weeks later.
>Think of what you personally would do to a merchant who charged your
>card and then shipped a week later... And think of all the merchants
>who swear they would never do this to a customer. By settling and not
>shipping you jump to the other side of this fence.
...Agreed
>Storing the cc info in the db is Bad News no matter how you slice it.
>If you absolutely must you can store the data in a field that uses
>public/private key encryption at reasonable (i.e. 1024 bit) strength,
>assuming you follow the practices necessary to do that job right. In
>other words sacrifice convenience and force people to enter the private
>key... Don't leave it on the server (!!!) Any lesser level of
>encryption shouldn't even be considered. My personal favorite
>encryption tool is cfx_textcrypt. For US$40 or thereabouts you can't
>beat it.
Thanks I will check out the Tag, but most likely with this new version I
will not be storing the CC numbers anymore.
>As for storing the cards in a db and downloading the info daily, I get
>shivers just thinking about it. If you are encrypting the data as
>described above I suppose that would be as safe as such a thing can be.
>However if you are storing them in the clear, and/or not transferring
>the file over secure ftp... Holy failure to perform due diligence,
>Batman!
When I download the data, it was through SSL connection. I always knew it
was a bad idea no mater how I sliced it... but I had to do something. It
seems at that my Co Located servers were less secures than my home systems.
Now my Servers are behind a nice hardware Firewall and the SQL server is
connected directly to the web server through a second net card.
>Lastly, you can opt to do it the safest way possible: Don't store the
>cc numbers at all. Collect them on your secure form, send them to the
>card processing gateway and DON'T store them. There are many who will
>say this is the best way, and I think it is. It limits the customer's
>liability and, perhaps as importantly, your own.
Yeah I agree, and this is how I will be doing it now that I have configured
and setup a custom API to my merchant.
Well thanks for all the great feedback, pretty much confirmed what I was
thinking. Well if you want to check out the cart and run it through its
paces for security issue or functionality let me know I will post the link
if any one is interested.
Neal Bailey
Internet Marketing Manager
E-mail: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
