Hi gadgster, I'm looking at implementing an app on App Engine that would include > web selling with credit card transactions. I'm concerned about the > security implications of this. > > Is the App Engine datastore an appropriate place to store sensitive > data such as customers personal details, order history and posssibly > encryped credit card information?
We treat your app's data securely and confidentially - the same way we treat our own data. From a technical perspective, and speaking personally, I feel more secure with my data in the App Engine datastore than I would were I running the app myself and storing it in my own database. Crucially, though, there's two caveats: - Insecurities in your own app are the most likely cause for compromise of this data. Obviously, we can't help with that. - You need to determine for yourself what the legal requirements are in your jurisdiction for storing this sort of sensitive data, and whether or not it's possible to meet those requirements while hosting on App Engine. If you're uncomfortable hosting this sort of information with us, or if legal requirements make it impossible, you may want to check out the Secure Data Connector, which permits you to provide access to your internal systems to an App Engine app, allowing you to store sensitive information at your own facility. > Are there any current App engine applications that do this? I'm fairly certain there are, but I can't name any off the top of my head. Perhaps others can suggest some. > The https support seems to be a problem as it only works on the > appspot domain and not on AppSpot domain attached to the site. This is an unfortunate consequence of the way SSL currently works. If you want SSL, you have to redirect users to appspot, at least for the secure part of the transaction. > Does anyone have any pointers to the best way to implement credit card > authentication in the App Engine environment? Ideally, we would want > to authorize credit cards directly on the site and not just accept > Paypal/Google Checkout. > You'll need to find a payment provider and contract with them to perform credit card billing. As far as that goes, App Engine is no different to any other platform - you need to interact with them using a web service interface of some sort. I would strongly echo the comments of other posters in suggesting using an existing service like Paypal or Google Checkout, though. The best way to secure your customers' sensitive data is to not store it in the first place! On Thu, Jun 4, 2009 at 3:01 PM, gadgster <[email protected]> wrote: > > I agree that using Paypal/Google checkout would be easier for us and > probably better for the customer. Unfortunately for me, management > feeling is that not accepting credit cards directly on the site is > perceived by customers as "unprofessional" and it is considered a > requirement of the site. You might want to point out to them that App Engine itself uses Google Checkout for payment processing. -Nick Johnson > > > This is a main blocker in getting permission to implement our site on > App Engine. > > On Jun 4, 5:51 pm, Kilohoku150 <[email protected]> wrote: > > Sorry - to be more clear, why would you want to reinvent this rather > > than use the existing services that are designed to deal with such > > topics. > > > > I personally would not want the responsibility of holding people's > > personal details, following up on credit card orders, etc. > > > > On Jun 4, 11:49 am, Kilohoku150 <[email protected]> wrote: > > > > > Why not just use Google Checkout? > > > > >http://checkout.google.com/ > > > > > On Jun 3, 8:03 pm, gadgster <[email protected]> wrote: > > > > > > Hello, > > > > > > I'm looking at implementing an app on App Engine that would include > > > > web selling with credit card transactions. I'm concerned about the > > > > security implications of this. > > > > > > Is the App Engine datastore an appropriate place to store sensitive > > > > data such as customers personal details, order history and posssibly > > > > encryped credit card information? > > > > > > Are there any current App engine applications that do this? > > > > > > The https support seems to be a problem as it only works on the > > > > appspot domain and not on AppSpot domain attached to the site. > > > > > > Does anyone have any pointers to the best way to implement credit > card > > > > authentication in the App Engine environment? Ideally, we would want > > > > to authorize credit cards directly on the site and not just accept > > > > Paypal/Google Checkout. > > > > > > Regards > > > > Tom Bailey > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
