[ale] cURL/https security question

Raylynn Knight audilover at atlantabroadband.com
Thu Aug 1 23:52:35 EDT 2002


On Thu, 2002-08-01 at 19:20, jenn at colormaria.com wrote:
> Evaluation of common credit card gateway method needed by those much more
> knowledgable about security than myself.
> 
> Scenario:
> I use CreditCynic (fake company, obviously) to process credit card
> transactions from my shopping cart.  CreditCynic provides me with a php class
> that basically urlencodes all the pertinent credit card info, and uses
> cURL tosend post data over https.  There is no other validation of sender/recipient,
> there isn't any encryption of credit card data using, say, gpg.  Just
> posting theform over https.
> 
> My gut reaction is that this is *bad* but I know it's very commonplace and
> probably the most used method of processing credit cards for smaller
> merchants.
> I know I'm paranoid but I want someone to assist with either why this is
> as badas I think it is, or why lots of people seem to think it's OK.
> 
> Thanks
> jenn

About 2 years ago I was working for an outsourcing company that did some
work for a company called safeTpay (they have since changed there name
to Kryptosima because of a trademark issue).  At that time they were DES
encrypting all credit card data so I think they were pretty secure. 
They are located in Hampton, GA and more details are available at
http://www.kryptosima.com/pe_business.html

If you end up getting this mention that a former E-Certify employee
suggested them.

Ray Knight
 
 



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list