Credit Card Details

Credit Card Details
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Credit Card Details Griff 12-20-2007
|--> Re: Credit Card Details Roger Abell [MV...12-21-2007
`--> Re: Credit Card Details Anne & Lynn Whe...12-26-2007
Posted by on December 20, 2007, 10:47 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks, Ron. I hope you enjoy the holidays as well.

> Mr, Goerlich, Thanks for the come back. Your always very informative,
> I've read many posts. Enjoy your Hollidays. Ron
>
>
>
> "jwgoerl...@gmail.com" wrote:
> > Hello Ron,
>
> > I mean flushing the information on the ecommerce web and database
> > servers. This is not on your own computer.
>
> > Some companies, like Amazon.com, store the credit card information and
> > keep it on file after your purchase. This is a concern because, should
> > the data fall into the wrong hands, the credit card numbers could be
> > misused.
>
> > Other companies, like Solarbotics, do not store the credit card
> > information. They process the transaction and flush all identifying
> > information. Should the information fall into the wrong hands, there
> > is nothing to outright misuse. More companies should operate like
> > Solarbotics, in my opinion.
>
> > Consumers have control over this insofar as spending their money with
> > companies with stringent security and privacy guidelines.
>
> > J Wolfgang Goerlich
>
> > Solarbotics
> >http://www.solarbotics.com/info/privacy-policy/
>
> > > Hi, I would like to know more on what you mean by :Flush the card
> > > information after confirmation. If i've made purchases using a card #
> > > where would that number be hiding on my computer. Thank You Ron- Hide
quoted text -
>
> - Show quoted text -


Posted by Roger Abell [MVP] on December 21, 2007, 8:00 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Hello Ron,
>
> I mean flushing the information on the ecommerce web and database
> servers. This is not on your own computer.
>
> Some companies, like Amazon.com, store the credit card information and
> keep it on file after your purchase. This is a concern because, should
> the data fall into the wrong hands, the credit card numbers could be
> misused.
>
> Other companies, like Solarbotics, do not store the credit card
> information. They process the transaction and flush all identifying
> information. Should the information fall into the wrong hands, there
> is nothing to outright misuse. More companies should operate like
> Solarbotics, in my opinion.
>
> Consumers have control over this insofar as spending their money with
> companies with stringent security and privacy guidelines.
>

Hi Wolfgang,

Perhaps in the EU consumers have a handle with which to
exert control over this, but in my experience not in the USA.
One is rarely told that the info is being retained, let alone
asked that it may be, it is just done - and not by the big, major
etailers that might expect one's return business but by even the
little mom-and-pop type companies that have gone online (and
you know that the data is sitting on a little, old Windows PC
that is under the desk in the store's office).

The situation is in my opinion very bad. I rarely join into
advocacy groups, but if there were a lobby group trying to
get laws passed to define "my" rights over "my" information
and get some better practices in use, I would be on board.

Roger
Roger


> J Wolfgang Goerlich
>
>
> Solarbotics
> http://www.solarbotics.com/info/privacy-policy/
>
>> Hi, I would like to know more on what you mean by :Flush the card
>> information after confirmation. If i've made purchases using a card #
>> where would that number be hiding on my computer. Thank You Ron



Posted by Griff on December 20, 2007, 12:51 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Excellent - thanks!



Posted by Roger Abell [MVP] on December 21, 2007, 8:02 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> If sensitive information (such as a credit card) has to be saved to a
> database then there is a duty of care to protect this information.
>
> If the data is saved in plain text, then there is a concern that a hacker
> gaining access to the server will therefore gain access to the credit card
> data.
>
> One option is therefore to encrypt it. This means that the data is stored
> on the server in an encrypted format. However, at some stage, the
> software will legitimately need to decrypt the data in order to use this
> information. To achieve this, it has to have access to the key to decrypt
> the information. If the software has access to this decryption key then
> surely so will any hacker. It would be equivalent to buying a secure safe
> and hanging the keys next to it.
>
> There must be a more secure implementation - could someone describe it>
>
> Many thanks
>
> Griff

With Windows the keys are not quite hanging next to the safe.
In order to access the keys one must be running in the context of
the correct account, and must have done so without resetting the
account's password. That, along with finding out what account,
at least places some hurdles in the path to the keys.

Roger



Posted by Anne & Lynn Wheeler on December 26, 2007, 12:21 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> If sensitive information (such as a credit card) has to be saved to a
> database then there is a duty of care to protect this information.
>
> If the data is saved in plain text, then there is a concern that a hacker
> gaining access to the server will therefore gain access to the credit card
> data.
>
> One option is therefore to encrypt it. This means that the data is stored
> on the server in an encrypted format. However, at some stage, the software
> will legitimately need to decrypt the data in order to use this information.
> To achieve this, it has to have access to the key to decrypt the
> information. If the software has access to this decryption key then surely
> so will any hacker. It would be equivalent to buying a secure safe and
> hanging the keys next to it.
>
> There must be a more secure implementation - could someone describe it>

in the x9a10 financial standard working group for the x9.59 standard
... it eliminated information from previous financial transactions as a
vulnerability.
http://www.garlic.com/~lynn/x959.html#x959

the current situation places diametrically opposing requirements on the
credit card information ... 1) it has to be readily available for large
number of different business processes (not just the initial
transaction) and 2) because the same information can be used by crooks
for fraudulent transactions ... the information has to be kept
confidential and never divulged. this is source of our periodic comments
in the past that even if the planet was buried under miles of encryption
... it still wouldn't prevent information leakage.

we had been called into consult with small client/server startup that
wanted to do payments on their server ... they had this technology
called SSL they wanted to use ... and it is now frequently referred
to as electronic commerce
http://www.garlic.com/~lynn/subnetwork.html#gateway

one of the issues was that the application of SSL was only able to hide
the transaction information while it was being transmitted thru the
internet ... and didn't do anything to address the major points of
exploits.

we were then dragged into working in the x9a10 financial standard
working group which in the mid-90s had been given the requirement to
preserve the integrity of the financial infrastructure for all retail
payments.

Similar ThreadsPosted
RE: Encryption of Credit Card files January 16, 2006, 2:52 pm
Passwords and Credit card numbers kept on computer? October 19, 2006, 12:35 pm
Re: How to Protect Your Credit or Debit Card and Account Number ??? May 17, 2008, 4:31 pm
setting logon details August 18, 2006, 3:49 am
Windows Explorer exposes passwords in plaintext -- more details December 4, 2008, 7:33 pm
Smart Card Login + Certificate Login to AD -> Lost smart card December 15, 2005, 10:03 pm
Smart Card Login + Certificate Login to AD -> Lost smart card December 15, 2005, 10:41 pm
Smart Card Logon July 20, 2006, 2:39 am
Smart Card - two readers December 8, 2006, 8:16 am
Look at the contents of a smart card? April 24, 2007, 12:04 pm

The site map in XML format XML site map

Contact Us | Privacy Policy