in reply to Thwarting Screen Scrapers

How does your billing backend work, and do you store cc numbers?

Why do I ask?
I presume that if they are charging the customer extra, and keeping the profit, that they are charging the customers creditcard themselves, and then sending their own payment details to you to make the purchase from you.

The ony way they could get round this were if they charged the customers cc a small fee themselves, and then sent the cc number to you to charge the rest.
- and I hope that anybody would think this very suspicious if they saw this on their statement.

So, I can see 2 possible solutions to counter this.
If you store the cc numbers, then check to see if the same number is being used multiple times for the same product.
Check the customers address against the cardholders address to see if they're different.

Replies are listed 'Best First'.
Re: Re: Thwarting Screen Scrapers
by grantm (Parson) on Jul 19, 2002 at 10:49 UTC

    do you store cc numbers?

    Wouldn't that be an incredibly bad practise? I have worked on a number of ecommerce projects but none of them stored the credit card number. Ever.

    If you store card numbers in your database and your server gets cracked then the cracker can get all the card numbers. My legal knowledge is small but I'd have thought a system design like that would leave you open to criminal negligence suits. If you don't store the card numbers there is no exposure.

[reply]
      I know, I was going to add a disclaimer, but didn't bother.

      I said "do you?", because I know that some do it.
      - Amazon, for example, records my cc number.

      I have read about methods of storing cc numbers by using a machine behind a firewall, which the cgi server can access, but can't itself be accessed directly from the internet.
      I don't know all the implications/applications of this, so that's why I didn't go into it.
      (and don't really want to still ;)
[reply]

In Section Seekers of Perl Wisdom