I echo Nick's comments. I'm responsible for security at an L1 service provider, L3 merchant and PA-DSS development shop (along with the 1k other things everyone on this list does :) ) and I have found that the two cardinal rules of payment applications are:
1. Limit the scope 2. Outsource, outsource, outsource Since I'm repeating what someone else said I'll only cop to this being my $0.01 -rd -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Nick Silkey Sent: Tuesday, March 08, 2011 4:16 PM To: John BORIS Cc: [email protected] Subject: Re: [lopsa-tech] A security question on login requirements for Online Financial System You should outsource this. Payment processing is specialized, has lots of rules, others elsewhere do it reasonably well, and the marketspace is competitive whereby you can offload all this to a cheap provider + consume the processing-proper as a service, etc. Who, I dont know. No one has asked me to deal with accepting payments/doing processing so I cant answer that for you. But Im sure others in LOPSA have used vendorX and can advise whether they love, hate, etc. My $0.02. Cheers. -- Nick Silkey On Tue, Mar 8, 2011 at 3:05 PM, John BORIS <[email protected]> wrote: > I think this is the correct list so if not sorry. > > At work here we are putting together an Online Payment system. I am > searching for information/best practices/guidelines on secure ways to > allow users to create accounts on a system. Most of us have paid bills > on line and each has their own way of setting up the account. What I > need is a security professional that I can bounce my plan off of and > they will say yea or nay. or some pointer to a best practices paper > that states suggested ways to do this. I tried one company that does > security scans but this is not in their wheel house. I can talk off > list about this if need be. > > Thanks > > > > > John J. Boris, Sr. > JEN-A-SyS Administrator > "Remember! That light at the end of the tunnel Just might be the > headlight of an oncoming train!" > _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/ This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
