Just to add to the comments of others: People know they need to encrypt data on the server but then they don't think about doing things like passing data over the local intranet unencrypted. Note all points where the data resides and ensure each point is secure.
To do encryption, many people assume they can simply shell out, pass a card ID to a server utility that does the encryption, and capture the results for storage. Depending on how that's done, the ID is in plain view of anyone who can snoop on the system during the time the encryption process is taking place. While it might seem paranoid to worry about hacks that monitor memory, processes, or disk access, or about something that will monitor the local intranet, this is exactly the sort of thing that commonly finds its way onto local network systems because people are downloading things they shouldn't. Combining those concepts, Mike said he wants to provide a secure solution to his customers. VARs are in a precarious situation when it comes to providing software that must be used in a secure environment. We can make lots of recommendations, but it's up to the end-users to properly secure their environment on an ongoing basis. VARs must limit their liability against consequences when end-users do not create a proper environment for using the software we provide. About printing, all I can recommend is that you don't allow users to print a listing of card numbers and owners into a spooler file - at that point it's all plain text. Final note: I recommend breaking up any secure data you have and storing it in different files. A compromised credit card number is no good without other data including name, address, zipcode, phone number, etc. If you store the card ID in pieces, and encrypted, and separate from this other data, then even if the environment is compromised, the only person who could make use of the data would be someone who is intimate with your code and file structures. HTH Tony Gravagno Nebula Research and Development TG@ remove.pleaseNebula-RnD.com Nebula R&D sells Pick/MultiValue products worldwide, and provides related development services remove.pleaseNebula-RnD.com/blog Visit PickWiki.com! Contribute! http://Twitter.com/TonyGravagno > From: Mike Dallaire > We are looking for any thoughts on storing credit card > information in UniVerse for our customers. Up until > now we have not stored this information and we welcome > any thoughts, helpful tips, etc. on doing so. We have > already decided we will encrypt the stored data, but > there are other issues such as printing of the data, > etc. > > Keep in mind we provide the software, our customers > are using and controlling the data. _______________________________________________ U2-Users mailing list [email protected] http://listserver.u2ug.org/mailman/listinfo/u2-users
