HTTPS is there basically to stop someone from sniffing network traffic on port 80. If someone gets local root on your box they can setup a port sniffer and see every bit of plaintext that comes across a port. With SSL if someone has root on your box and trys to sniff port 443 or whatever port it is running on they will see nothing but crypto garabage, and not the credi card transactions.
Reguardless if you store a cc or not, if someone has access to your box without you knowing it and they are sniffing your connection they can still get the credit card information on the wire. -phpninja On 6/11/07, Victor Villa <[EMAIL PROTECTED]> wrote:
>Is https enough to mostly protect the transmission of credit card data? Very tricky question. Is HTTP enough for CC use. Yes. No doubt in my mind. https secures the channel that the CC num and details are passed through. The REAL security question, is what happens with that CC after it passes securely. Is it stored on an exposed database? Is the CC emailed to somebody? That's actually why I don't store CCs. I run the transaction, let the CC portal (authorize.net) track the CC and I keep the last 6 digits. Enough for our records, not enough to be of value if stolen. Hope that helps mj/v _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
_______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
