August 6th, 2002, 06:18 AM
Other than a merchant account, an SSL certificate registered with the proper authority such as verisign, and a credit card gateway to process the card are there any other security issues I should be aware of before setting up a site to handle online transactions?
August 6th, 2002, 07:55 AM
Don't store credit card details.
August 7th, 2002, 08:47 AM
Make sure your scripts are secure....
August 8th, 2002, 12:53 PM
how do you make sure your scrips are secure? Are there common things to check for? And also, how safe is your host.
August 9th, 2002, 04:23 AM
Well, the most important thing is to make sure users can't throw any data they want into whatever forms you use. An easy example is the zip code. If you accept anything, I can write "dshsdfh" if I want. Now, many restrict it to just numbers, which is a step in the right direction. But, since zipcodes are the same all the time, you can specify that you won't accept a zipcode liking like "11 211 2 2", in other words, non standard. It's both a security hazard and a hassle for your database, which you want free of errors.
Another good idea is to make sure people use the correct letters when wrighting their names or whatever. If you don't, someone might send some funny characters like " 0 1 ' # % | & or ; and so on that might break your script...and worse, if used "properly" it can be used to execute commands on the server.
Oh, and never save important data in plaintext in your database... encrypt them.
Another thing that I do when I program is to never have passwords in my scripts. I put them in a file outside the webstructure, and sometimes, when security is really really impirtant I encrypt the file aswell. Encrypting the file do strike hard on the server if you have many hits on it though, so this is a judgement call on the necessety, but I would always opt for a paranoid view in matters like that.
If you are a non-programmar and have just ordered the script from someone, you can either hire another firm to check the code for security issues...or you can just hope that the firm did a good job. Any serious programmer should have programmed these checks for something as important as credit card details though, so if you've hired a good firm, you should (hopefully) be secure.
Then, as for the servers, same goes there... if you aren't a security expert, you can either hire people that are, or trust that you have a good sysadmin/web hotell admin.
August 9th, 2002, 04:38 AM