[ale] cURL/https security question
Raylynn Knight
audilover at atlantabroadband.com
Thu Aug 1 23:52:35 EDT 2002
On Thu, 2002-08-01 at 19:20, jenn at colormaria.com wrote:
> Evaluation of common credit card gateway method needed by those much more
> knowledgable about security than myself.
>
> Scenario:
> I use CreditCynic (fake company, obviously) to process credit card
> transactions from my shopping cart. CreditCynic provides me with a php class
> that basically urlencodes all the pertinent credit card info, and uses
> cURL tosend post data over https. There is no other validation of sender/recipient,
> there isn't any encryption of credit card data using, say, gpg. Just
> posting theform over https.
>
> My gut reaction is that this is *bad* but I know it's very commonplace and
> probably the most used method of processing credit cards for smaller
> merchants.
> I know I'm paranoid but I want someone to assist with either why this is
> as badas I think it is, or why lots of people seem to think it's OK.
>
> Thanks
> jenn
About 2 years ago I was working for an outsourcing company that did some
work for a company called safeTpay (they have since changed there name
to Kryptosima because of a trademark issue). At that time they were DES
encrypting all credit card data so I think they were pretty secure.
They are located in Hampton, GA and more details are available at
http://www.kryptosima.com/pe_business.html
If you end up getting this mention that a former E-Certify employee
suggested them.
Ray Knight
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list