Re: Permissions Ignored - PLEASE HELP

This WebDNA talk-list message is from

2003


It keeps the original formatting.
numero = 47109
interpreted = N
texte = > >those credit card numbers are still stored in the individual orderfiles, > >therefore... YES, it is MY responsibility to protect those numbers. > > > First, the info in the order files should be written to a database, > with the credit card numbers encrypted.Hell yes - also encrypt the exp date and name.> > Second, the order files should be DELETED immediately after each > transaction is completed -- to prevent anyone from being able to > download them, and to prevent anyone with username/password access > from seeing the UNENCRYPTED credit card values in those files.There is a setting in webcat admin for how often to sweep the directory but the files can always be [deletefile] just in case. This will stop stuff like this happening... This is the company that both alain and i used to work for. they configured their brand new server wrong after we left... big mistake http://www.nzherald.co.nz/storydisplay.cfm?storyID=2999140> > Third, all your webdna templates and include files should be > encrypted -- to prevent anyone from seeing the SEED value you used to > encrypt the credit card values when storing them in your database > file.We have a database of 1000 randomly generated seeds. the ID of the seed to use is stored in the cc database and a lookup is used to find the seed for the particular row. the two databases are on opposite ends of the server and neither of them is in a served directory.> > Fourth, you should *NEVER* display the full credit card number on any > web page, even when you're decrypting those values for some reason. > Instead you should display only the last 3 or 4 digits of the number > on the page. >NEVER! The company above also use to send invoices via email with full credit card number as confirmation to the customer. BIG MISTAKE - HUGE!Everything surrounding an online store should also be wrapped up in SSL but this should be pretty obvious. > > Sincerely, > Kenneth Grome > > --------------------------------------------------- > WebDNA Professional Training and Development Center > 175 J. Llorente Street +63 (32) 255-6921 > Cebu City, Cebu 6000 kengrome@webdna.net > Philippines http://www.webdna.net > --------------------------------------------------- > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: Permissions Ignored - PLEASE HELP (Alain Russell 2003)
  2. Re: Permissions Ignored - PLEASE HELP (Stuart Tremain 2003)
  3. Re: Permissions Ignored - PLEASE HELP (Gary Krockover 2003)
  4. Re: Permissions Ignored - PLEASE HELP (Alain Russell 2003)
  5. Re: Permissions Ignored - PLEASE HELP (Andrew Simpson 2003)
  6. Re: Permissions Ignored - PLEASE HELP (Alex McCombie 2003)
  7. Re: Permissions Ignored - PLEASE HELP (Andrew Simpson 2003)
  8. Re: Permissions Ignored - PLEASE HELP (Kenneth Grome 2003)
  9. Re: Permissions Ignored - PLEASE HELP (Bob Minor 2003)
  10. Re: Permissions Ignored - PLEASE HELP (Kimberly D. Walls 2003)
  11. Re: Permissions Ignored - PLEASE HELP (John Peacock 2003)
  12. Re: Permissions Ignored - PLEASE HELP (Donovan 2003)
  13. Re: Permissions Ignored - PLEASE HELP (WJ Starck 2003)
  14. Re: Permissions Ignored - PLEASE HELP (Donovan 2003)
  15. Re: Permissions Ignored - PLEASE HELP (Donovan 2003)
  16. Re: Permissions Ignored - PLEASE HELP (Kimberly D. Walls 2003)
  17. Re: Permissions Ignored - PLEASE HELP (John Peacock 2003)
  18. Re: Permissions Ignored - PLEASE HELP (Kimberly D. Walls 2003)
  19. Re: Permissions Ignored - PLEASE HELP (John Peacock 2003)
  20. Permissions Ignored - PLEASE HELP (Kimberly D. Walls 2003)
> >those credit card numbers are still stored in the individual orderfiles, > >therefore... YES, it is MY responsibility to protect those numbers. > > > First, the info in the order files should be written to a database, > with the credit card numbers encrypted.Hell yes - also encrypt the exp date and name.> > Second, the order files should be DELETED immediately after each > transaction is completed -- to prevent anyone from being able to > download them, and to prevent anyone with username/password access > from seeing the UNENCRYPTED credit card values in those files.There is a setting in webcat admin for how often to sweep the directory but the files can always be [deletefile] just in case. This will stop stuff like this happening... This is the company that both alain and i used to work for. they configured their brand new server wrong after we left... big mistake http://www.nzherald.co.nz/storydisplay.cfm?storyID=2999140> > Third, all your webdna templates and include files should be > encrypted -- to prevent anyone from seeing the SEED value you used to > encrypt the credit card values when storing them in your database > file.We have a database of 1000 randomly generated seeds. the ID of the seed to use is stored in the cc database and a lookup is used to find the seed for the particular row. the two databases are on opposite ends of the server and neither of them is in a served directory.> > Fourth, you should *NEVER* display the full credit card number on any > web page, even when you're decrypting those values for some reason. > Instead you should display only the last 3 or 4 digits of the number > on the page. >NEVER! The company above also use to send invoices via email with full credit card number as confirmation to the customer. BIG MISTAKE - HUGE!Everything surrounding an online store should also be wrapped up in SSL but this should be pretty obvious. > > Sincerely, > Kenneth Grome > > --------------------------------------------------- > WebDNA Professional Training and Development Center > 175 J. Llorente Street +63 (32) 255-6921 > Cebu City, Cebu 6000 kengrome@webdna.net > Philippines http://www.webdna.net > --------------------------------------------------- > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Andrew Simpson

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Simple Page (2000) hidden databases (2000) I'm having trouble using [url][interpret][math] together in lookup (1997) [movefile] (1999) WebCat2 beta 11 - new prefs ... (1997) Cart passing in URL... (2004) caching -check- (2001) Truncated numbers (2000) Grep not working, shows [grep] in browser (2000) America Online Issues (1998) WebCatalog stalls (1998) Re:Dumb Question about Docs (1997) Re:Help name our technology! (1997) [WebDNA] [OT] - One Man. One Road. (2009) Webcat & SIMS (1998) ShoppingCart Woes (1998) RequiredFields template (1997) Need hosting service (2000) WCS Newbie question (1997) Fufillment e-mail? (1998)