headers
Aristedes Maniatis | 1 Apr 2007 01:21
Picon
Favicon
Gravatar

Re: Best way to Secure Credit Card info


On 01/04/2007, at 2:09 AM, Kenneth Spence wrote:

> I would also like to know it there is a standard on how long  
> companies keep credit card information?

Yes there is. Don't keep it a second longer than you absolutely have  
to. That usually means that as soon as you get a response from the  
bank as to whether the payment succeeds or fails. In practice you  
probably don't need to keep it longer than a few seconds in your  
system while the gateway returns a result.

Encrypting it is all very well, but where are you keeping the  
encryption keys? In the 4D application? Yes, I thought so - in the  
same place as the data you are trying to protect. Sort of like  
leaving the key under the front door mat.

Ari Maniatis

-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

**********************************************************************
Last day to save $150 off a 4D Web 2.0 Pack and Server bundle!
Buy before 3/30/07 at http://store.4d.com
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jeff Grann | 1 Apr 2007 02:07
Favicon

Re: Best way to Secure Credit Card info

On Mar 31, 2007, at 1:49 PM, Adrian Humphreys wrote:

> Before deciding to store credit card info at all, encrypted or not,  
> you
> might want to look at the credit card industry standards:
>
> https://pcisecuritystandards.org/tech/supporting_documents.html

Yes.  DO NOT speculate or take opinions from others on this topic.   
Use the Payment Card Industry (PCI) Security Standards only.

-----
Jeff Grann
SuccessWare, Inc.

**********************************************************************
Last day to save $150 off a 4D Web 2.0 Pack and Server bundle!
Buy before 3/30/07 at http://store.4d.com

4th Dimension Internet Users Group (4D iNUG)
FAQ:  <http://www.4d.com/support/faqnug.html>
Archive:  <http://dir.gmane.org/gmane.comp.lang.inug-4d.tech>
Wiki: <http://www.4dwiki.org/> 
Unsub:  mailto:  4D_Tech-off@...
**********************************************************************
Permalink | Reply | 0 comments |
headers
Steve Campbell | 1 Apr 2007 02:56

4D Plug-In Support

Over the past year I have been trying to more closely integrate 4D  
Write and 4D Draw functionality in my apps.

During that time I've searched the NUG to help answer questions  
regarding plug-ins.

Generally, I am surprised with the lower quantity and quality of  
replies.  I'm certainly not being critical of all who try to help....  
It just appears that a broad range of experience from our developer  
community is not available.

I would like to suggest that 4D Tech Support employees with plug-in  
expertise somehow engage in providing more definitive assistance to  
NUG  questions.

For example messages with Subject text containing "4D Write" could be  
filtered to a 4D person skilled in 4D Write.  The same with Draw and  
other 4D plug-ins.

I think this is happening with Web 2.0 and it's very refreshing to  
see 4D folks adding their expertise to our developer experience in  
answering questions and offering help.

Thanks,

Steve

**********************************************************************
Last day to save $150 off a 4D Web 2.0 Pack and Server bundle!
Buy before 3/30/07 at http://store.4d.com
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kenneth Spence | 1 Apr 2007 02:56

Re: Best way to Secure Credit Card info

Thanks all for the suggestions.

I personally don't like keeping the number around but my client takes  
reservations and gets partial payments and then weeks or months later  
needs to recharge the card for final payment.   I still think most  
people would appreciate giving the number again for security reasons.

If I do end up having to keep the numbers hidden in some way I will  
try using ENCRYPT BLOB and DECRYPT BLOB.  Where to keep the  
encryption key is a problem.  Maybe in a separate file on a remote  
computer.  Maybe this is what I can use to convince the client not to  
save them.

Ken
**********************************************************************
Last day to save $150 off a 4D Web 2.0 Pack and Server bundle!
Buy before 3/30/07 at http://store.4d.com

4th Dimension Internet Users Group (4D iNUG)
FAQ:  <http://www.4d.com/support/faqnug.html>
Archive:  <http://dir.gmane.org/gmane.comp.lang.inug-4d.tech>
Wiki: <http://www.4dwiki.org/> 
Unsub:  mailto:  4D_Tech-off@...
**********************************************************************
Permalink | Reply | 1 comment |
headers
Aristedes Maniatis | 1 Apr 2007 04:07
Picon
Favicon
Gravatar

Re: Best way to Secure Credit Card info


On 01/04/2007, at 10:56 AM, Kenneth Spence wrote:

> I personally don't like keeping the number around but my client  
> takes reservations and gets partial payments and then weeks or  
> months later needs to recharge the card for final payment.   I  
> still think most people would appreciate giving the number again  
> for security reasons.

There are mechanisms many gateways have where you can process  
additional payments against the same card/merchant combination  
without needing to know the card number. Instead you use the  
transaction number from the earlier transaction.

Ari Maniatis

-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

**********************************************************************
Last day to save $150 off a 4D Web 2.0 Pack and Server bundle!
Buy before 3/30/07 at http://store.4d.com

4th Dimension Internet Users Group (4D iNUG)
FAQ:  <http://www.4d.com/support/faqnug.html>
Archive:  <http://dir.gmane.org/gmane.comp.lang.inug-4d.tech>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Basil Bourque | 1 Apr 2007 08:51
Picon

Re: What characters can be used in naming methods?

> 15 years of my 4D code is absolutely riddled with them. I can't  
> imagining continuing in this career path if I have to change them  
> to underscores manually.

I have made such changes, and find that it is easier than you might  
expect. You just have to get into a mindless zen state, and have at  
it. Or do 20 minutes a day everyday. The new Edit > Find In Database  
makes this much easier nowadays.

Also, 4D Insider may have a search-and-replace feature.

--Basil Bourque

**********************************************************************
Last day to save $150 off a 4D Web 2.0 Pack and Server bundle!
Buy before 3/30/07 at http://store.4d.com

4th Dimension Internet Users Group (4D iNUG)
FAQ:  <http://www.4d.com/support/faqnug.html>
Archive:  <http://dir.gmane.org/gmane.comp.lang.inug-4d.tech>
Wiki: <http://www.4dwiki.org/> 
Unsub:  mailto:  4D_Tech-off@...
**********************************************************************
Permalink | Reply | 1 comment |
headers
David Adams | 1 Apr 2007 10:41
Picon

Re: What characters can be used in naming methods?

On 4/1/07, Basil Bourque <basil.bourque.inug@...> wrote:
> > 15 years of my 4D code is absolutely riddled with them. I can't
> > imagining continuing in this career path if I have to change them
> > to underscores manually.
>
> I have made such changes, and find that it is easier than you might
> expect. You just have to get into a mindless zen state, and have at
> it. Or do 20 minutes a day everyday. The new Edit > Find In Database
> makes this much easier nowadays.
>
> Also, 4D Insider may have a search-and-replace feature.

Insider is good for renaming methods, forms, variables and the like.

4D itself is best for renaming tables and fields:
1) Close all open methods.
2) Rename the tables and fields.

That's it for any references that are in the code. For example, if a
table was named [Line Item] before and is now named [Line_Item], every
script and method that needs updating is updated. In fact, they aren't
updated at all. The table and field names are stored as references
when the method is saved. The full name is then expanded when the
method is reloaded. So, the current name is always used. However, if
you've got a method open and rename a table/field, 4D doesn't know
which table/field you mean when you go to save or close the method.

All of the above assumes none of this behavior has changed lately...

Obviously, if you're building table/field names using EXECUTE
(Continue reading)

Permalink | Reply | 0 comments |
headers
Owen Watson | 1 Apr 2007 11:32
Picon

Re: Best way to Secure Credit Card info

It's rapidly going down the route of only using a hosted credit card
payment site unless you want the rather intrusive PCI standards
applied not only to your website but anything it's connected to in the
same domain.

**********************************************************************
Last day to save $150 off a 4D Web 2.0 Pack and Server bundle!
Buy before 3/30/07 at http://store.4d.com

4th Dimension Internet Users Group (4D iNUG)
FAQ:  <http://www.4d.com/support/faqnug.html>
Archive:  <http://dir.gmane.org/gmane.comp.lang.inug-4d.tech>
Wiki: <http://www.4dwiki.org/> 
Unsub:  mailto:  4D_Tech-off@...
**********************************************************************
Permalink | Reply | 0 comments |
headers
Kenneth Spence | 1 Apr 2007 16:16

Re: Best way to Secure Credit Card info

Ari,

This sound like a good solution.  Do you know it Authorize.net allows  
this and can you only use a Transaction # for a certain length of  
time since it was last used.  I use Etran right now.  To you know if  
it can do this.  I want to replace this plugin soon with 4D code so  
if you have any suggestion on how 4D code would handle this I would  
appreciate it.

Ken
> Ari Wrote:

> There are mechanisms many gateways have where you can process
> additional payments against the same card/merchant combination
> without needing to know the card number. Instead you use the
> transaction number from the earlier transaction.
>

**********************************************************************
Last day to save $150 off a 4D Web 2.0 Pack and Server bundle!
Buy before 3/30/07 at http://store.4d.com

4th Dimension Internet Users Group (4D iNUG)
FAQ:  <http://www.4d.com/support/faqnug.html>
Archive:  <http://dir.gmane.org/gmane.comp.lang.inug-4d.tech>
Wiki: <http://www.4dwiki.org/> 
Unsub:  mailto:  4D_Tech-off@...
**********************************************************************
(Continue reading)

Permalink | Reply | 1 comment |
headers
Lee Hinde | 1 Apr 2007 20:19
Picon
Gravatar

Re: Best way to Secure Credit Card info

You can see it all here: http://developer.authorize.net/

I'd also encourage you to off-load any credit card number storage off to a
bigger fish. I.e, don't store it locally, let the cc service provider have
all the risk.

Actually, it'd still be your fault, since you picked the vendor. :-)

On 4/1/07, Kenneth Spence <kespence@...> wrote:
>
> Ari,
>
> This sound like a good solution.  Do you know it Authorize.net allows
> this and can you only use a Transaction # for a certain length of
> time since it was last used.  I use Etran right now.  To you know if
> it can do this.  I want to replace this plugin soon with 4D code so
> if you have any suggestion on how 4D code would handle this I would
> appreciate it.
>
> Ken
> > Ari Wrote:
>
> > There are mechanisms many gateways have where you can process
> > additional payments against the same card/merchant combination
> > without needing to know the card number. Instead you use the
> > transaction number from the earlier transaction.
> >
>
>
> **********************************************************************
(Continue reading)

Permalink | Reply | 0 comments |

Gmane