Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re: E-Commerce Monks

by tachyon (Chancellor)
on May 08, 2003 at 03:38 UTC ( [id://256466]=note: print w/replies, xml ) Need Help??


in reply to E-Commerce Monks

Many of us who get paid to Perl have at least dabbled with e-commerce. If you have a specific or even general question why not ask it here? You don't have enough time to set up a new portal and write a fully blown e-commerce app, even if you could get a useful number of users. The only thing particularly specific to e-commerce (as opposed to general CGI stuff) is handling secure credit card tansactions and the like. All the rest is just vanilla CGI and database stuff.

There are really only three parts to secure transactions:

  • Protecting the CC data in transit (use HTTPS with Apache and Open SSL) and securing your server to protect the back door.
  • storing CC details securely. My advice is don't store the CC details. You cant hack CC details off a server if they are simply not there. Make the user re-enter CC details for every transaction (they will feel more secure about this anyway) Of course by all means remember all the other account details.
  • Handing off to the 3rd party CC processor - they will supply the interface API spec and generally sample software in a variety of langs - and waiting on the response.

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Replies are listed 'Best First'.
Re: Re: E-Commerce Monks
by Dog and Pony (Priest) on May 18, 2003 at 06:37 UTC
    My advice is don't store the CC details. You cant hack CC details off a server if they are simply not there. Make the user re-enter CC details for every transaction

    We had exactly this approach, together with a third-party CC processor on a place I was working on earlier, one of Scandinavias bigger electronics ecommerce sites. We had to change this approach and store the CC numbers because we had quite a lot of trouble with frauds.

    We needed to be able to access these numbers when a fraud was suspected, and due to the third party company being quite stupid in what data they could receive and return (their system was lacking a lot, but they were the only ones in the market, more or less after some turbulent dot-com times), we needed to have access to them from our own computers. Maybe others have better luck in other countries. :)

    Anyhow, we first made it so that the numbers were stored on another machine and not together with the other details, only a key to identify it by, and they were purged after a certain time limit. Later, we also added encryption to this data. Can but hope that all this was enough.

    If possible, I totally agree that these numbers should not be stored. As it was now however, the data was very inaccessible, and only limited damage could be done if someone carried away our machines at night and managed to crack the encryption. :)

    You have moved into a dark place.
    It is pitch black. You are likely to be eaten by a grue.
[reply]

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://256466]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others pondering the Monastery: (4)
As of 2024-04-25 23:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found