On Sep 28, 12:31 am, brianp <[email protected]> wrote:
> Hey,
>
> I don't exactly know why the credit card is needed but they gave me a
> pdf version of the form they get people to fill out manually and it's
> on there so...
> I had hoped I could find api's for the services they then re-enter the
> information into with no luck. They said they have to take the
> information and submit it to 1/3 different locations on a case for
> case basis each requiring slightly different information.
There are likely APIs for each of the credit bureaus - I just got done
implementing a similar system to attach to the Lexis-Nexis background
check systems. I'd love to share, but LN puts all their docs under
NDA. :)
> I'm still wondering though how to go about creating the secure
> connections.
The best you're going to be able to manage is likely the previous
suggestion - only make the information available via a secure part of
the site. SSL is a good first step, but more complicated things could
also be useful (two-factor auth, etc).
> As well, if I am storing this kind of sensitive data maybe it would be
> a good idea to have an expiry. Data will only be held for so long
> before it is wiped from the db?
It couldn't hurt to also encrypt the relevant data in the DB, although
that's still not great (you have to have the keys on the server to use
the data...).
>
> The answers have kind of unnerved me. Is this maybe a job I should re-
> assess doing all together? Or as long as I follow the guidelines it
> should be okay?
>
It seems like the client here doesn't have the foggiest idea about
security, and that's a dangerous position for you to be in. Actually
achieving PCI compliance is going to take considerable time and money;
make sure that you document any corners they want you to cut, as
you'll need that if (or when) they get sued for leaking customer info.
It probably wouldn't hurt to have a lawyer do a quick once-over on the
contract to see exactly how much liability you may have if there is a
breach.
--Matt Jones
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
