Re: FN-FORUM:

date posted 20th July 2005 16:19

On 20 Jul 2005 14:43:57 -0000, [EMAIL REMOVED] [EMAIL REMOVED] wrot=
e:
>=20
> This is not my area at all, but Im just wondering if anyone's familiar wi=
th the
> security measures required to implement this, or legal issues regarding t=
his.
> Obviously it can be done as all the big players do it somehow, but not by
> storing card numbers basically unencrypted on a web server only a usernam=
e and
> password or two away? Surely there's something more to it than that..
>=20

Keeping it very brief.

You don't say what the hosting arrangements are for the client, but I
would suggest they would require a radical overhaul in order to
implement this in a reasonably secure way Holding card info on a
publically accessible server is obviously a no-no. The info should be
held encrypted in a database on a secure server on a trusted network
behind at least two firewalls and a proxy with more than a few
additional measures thrown in. Architecture and attention to detail
is everything. Penetration testing of the resulting setup would be
highly recommended before going live.

The Data Protection Act is something that your client should be aware
of and in compliance with its provisions.

If your client doesn't have the budget to afford the relevant
infrastructure and expertise to do it properly, they shouldn't do it
and you would be strongly advised not to get involved if they decide
to go ahead anyway under those circumstances.

--=20
Mamading Ceesay

A Letter To The Terrorists, From London
http://www.lnreview.co.uk/news/005167.php
"It's hard to panic the British. They've dealt with the Blitz, the
IRA, the Silurians, the Zarbi, the Daleks, the Cybermen..."
http://www.livejournal.com/users/coalescent/239250.html