[ale] cURL/https security question
jenn at colormaria.com
jenn at colormaria.com
Thu Aug 1 19:20:08 EDT 2002
Evaluation of common credit card gateway method needed by those much more
knowledgable about security than myself.
Scenario:
I use CreditCynic (fake company, obviously) to process credit card
transactions from my shopping cart. CreditCynic provides me with a php class
that basically urlencodes all the pertinent credit card info, and uses
cURL tosend post data over https. There is no other validation of sender/recipient,
there isn't any encryption of credit card data using, say, gpg. Just
posting theform over https.
My gut reaction is that this is *bad* but I know it's very commonplace and
probably the most used method of processing credit cards for smaller
merchants.
I know I'm paranoid but I want someone to assist with either why this is
as badas I think it is, or why lots of people seem to think it's OK.
Thanks
jenn
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list