在线信用卡存储?

发布于 2024-08-21 11:09:35 字数 1455 浏览 7 评论 0原文

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

愛放△進行李 2024-08-28 11:09:35

这违反了 PCI DSS。您不仅存储了不应该存储的信息(CVV),而且没有加密信用卡号(也是一种违规行为)。

更糟糕的是,他违反了 Visa 和 MasterCard 准则,其中规定所有在线交易必须使用符合 ECI 的设备或软件进行处理,并且互联网订单必须有单独的商家帐户。他们的信用卡终端绝对不符合 ECI 标准,因为没有一个终端符合 ECI 标准。他们需要获得一个新的商家帐户并使用 Authorize.Net 等支付网关来处理这些订单。

编辑

由于我怀疑网站所有者实际上会费心去获取新的商家帐户或实施支付网关,因此您最好的选择是使用双向加密来存储此信息。然后确保他们用于检索信用卡信息的页面已加密(SSL 证书),以便信息从端到端都是安全的。

我强烈建议您建立一个互联网商家帐户并使用 Authorize.Net 等支付网关。除了符合 PCI 和 ECI 标准以及明智的做法之外,企业不仅失去其商家帐户,而且被列入黑名单并被禁止再次拥有真正的商家帐户的可能性非常高。他们的商家帐户提供商只需要一次退款即可意识到他们在做什么,并开始出现麻烦。

That is a violation of PCI DSS. Not only are you storing information you aren't supposed to be storing (CVV) but you're not encrypting the credit card number (also a violation).

Even worse he is violating Visa and MasterCard guidelines which state that all online transactions must be processed using an ECI compliant device or software and Internet orders must have a separate merchant account. Their credit card terminal is definitely not ECI compliant as none are. They need to get a new merchant account and use a payment gateway like Authorize.Net to process these orders.

Edit

Since I doubt the webbsite owner will actually bother to get a new merchant account or implement a payment gateway your best bet is to use two way encryption to store this information. Then make sure the page they use to retrieve the credit card information is encrypted (SSL cert) so the information is secure from end-to-end.

I highly recommend getting an Internet merchant account and using a payment gateway like Authorize.Net. Besides being PCI and ECI compliant and just the smart way to go, the potential for the business to not only lose their merchant account but to be blacklisted and prohibited from ever have a true merchant account again is very high. All it takes is one chargeback for their merchant account provider to realize what they are doing and for the trouble to start.

心如狂蝶 2024-08-28 11:09:35

这是严重违反 PCI 规则的行为。您可以在此处获取文档: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
明智的做法是使用 Google Checkout 或类似的第三方服务。成为 PCI 合规性是一个很头疼的问题,涉及年度审查(可能是自我评估),其中可以包括渗透测试等。如果你真的检查过,他可能根本不需要访问信用卡信息,只需要访问信用卡信息。交易ID。您不仅需要加密数据,还必须有一个精心设计的方案来保护加密密钥。这比小企业想要进入的领域要大得多。上面的一些建议听起来不错,但并不符合 PCI 规范。阅读这些文档,您很快就会发现这是一项艰巨的任务。我目前支持内部 PCI 兼容系统,并且必须花费大量精力才能使其符合标准。我们还必须对网络进行一些更改。对于企业来说,转向第三方会更便宜。

This is a major violation of PCI rules. You can obtain the documents here: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
It would be smart to go third party like Google Checkout or something similar. Becoming PCI compliant is a big headache and involves annual reviews (may be self assessed), which can include penetration testing, etc. If you really examined it, he probably does not need to have access to the credit card information at all, just the transaction ID. Not only do you need to encrypt the data, you must have an elaborate scheme for protecting the encryption keys. This is much bigger than what a small business wants to get into. Some of the advice above sounds good, but it does not meet the PCI specification. Read the documents and you will quickly see it is a large undertaking. I currently support an in house PCI compliant system and had to spend significant effort to get it up to standards. We also had to make a number of network changes as well. It will be cheaper for the business to convert to third party.

橘虞初梦 2024-08-28 11:09:35

有许多第三方支付提供商可以为您处理所有安全和合规问题。

对于任何中小型企业来说,这是一项绝对应该外包给具有专业知识的人员的职能。

There are lots of third party payment providers for you that will deal with all security and compliance issues.

For any small to medium businesses this is one function that should definitely be outsourced to those with expertise.

慈悲佛祖 2024-08-28 11:09:35

使用第 3 方信用卡处理网关无需在客户端服务器上存储信用信息 - POST 的抄送信息将传递到处理网关,处理网关返回可用于客户端保存记录的交易 ID。

信用卡支付网关由 Authorize.net、LinkPoint Central 等公司提供 - 甚至 PayPal 也参与其中。所有主要网关都有用于将购物车与大多数流行的 Web 编程平台(.NET、PHP、Java 等)集成的现有代码。另外,大多数主要购物车都支持开箱即用的主要网关,或者至少具有适用于大多数网关的可安装模块。

因此,您的客户应该设置互联网支付网关,并且您应该将他们现有的代码与网关集成。

Using a 3rd party credit card processing gateway obviates the need for storing credit information on the client's server - the POST'ed cc info is passed along to the processing gateway which returns a transaction id that can be used for record-keeping by your client.

A credit card payment gateway is provided by companies like Authorize.net, LinkPoint Central - even PayPal is getting into the game. All the major gateways have existing code for integrating a shopping cart with most of the popular web programming platforms (.NET, PHP, Java, etc.). Plus most major shopping carts support the major gateways out of the box, or at the very least have installable modules for most gateways.

So, your client should get an internet payment gateway setup and you should integrate their existing code with the gateway.

月亮是我掰弯的 2024-08-28 11:09:35

正确保护支付数据是一个复杂的话题。即使是非常大的公司,有时也会有大量信用卡从其系统中被盗的情况。

至少需要考虑以下步骤:

  • 确保在线订单使用 HTTPS 捕获数据。
  • 如果数据库和 Web 服务器是不同的机器,请确保它们之间的安全路径。
  • 加密数据库中的支付数据。 MySQL 参考
  • 确保对后端网页的强访问控制(外界是否可以物理访问?是否需要强密码?是否是 HTTPS?)
  • 确保没有最终写入支付信息的日志(例如调试日志)到文件系统。

Correctly protecting payment data is a complex topic. Even very large companies sometimes have large numbers of credit cards stolen from their systems.

At a minimum, here are steps to consider:

  • Ensure the online order form is using HTTPS to capture data.
  • If the DB and web server are different boxes, ensure a secure path between them.
  • Encrypt the payment data in the DB. MySQL Reference.
  • Ensure strong access control to the back-end web page (is it physically accessible to the outside world? Does it require a strong password? Is it HTTPS?)
  • Ensure there are no logs (e.g. debug log) that end up writing the payment info to the file system.
星星的轨迹 2024-08-28 11:09:35

这绝对违反了 PCI 规则。然而,向存储的数据添加加密应该不难,特别是在人们很少需要查看它的情况下。

我曾在第三方信用卡交易处理公司工作过,如果他们的系统那么糟糕,我强烈推荐它。但是,您仍然需要加密该信息,或者在将其发送到 TPP 后根本不存储它。 TPP 确实适合商家,因此他们可以帮助您解决任何合规问题,并帮助您获得最佳兑换率。

It is definitely a violation of PCI rules. However, it shouldn't be that hard to add encryption to the stored data, especially if it's rare a human will have to look at it.

Having worked for a third party credit card transaction processing company, I highly recommend it if their system is that bad. However, you'll still need to encrypt that information, or not store it at all after it's sent to the TPP. The TPP really works for the merchant, so they can help you with any compliance issues and help you get the best interchange rates.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文