email encyption

[jeremybrown]

Hey guys

A client has asked us to implement an ecommerce site taking secure payments via email where the credit card details are encrypted and emailed to the seller. They then decrypt these details and manually process the transactions. After speaking to a hosting provider on this they told me that it was against the law to pass credit card information via email encrypted or not. Does anyone know anything about this?

Regards

Jeremy

 

[Subbynet]

Very bad idea - and its very (highly) likely processing payments in this manner would be against the terms and conditions of any merchant account held by your client.

Is there any reason your client can't process web payments with a middle-man company like Protx to handle web payments?

 

Hello Jeremy,

(I'm the hosting provider that told you to post here! ) I could be wrong about what I said though. :redface:

As Subbynet said, it is very risky. Could they not process the payments online using WorldPay/ProtX/PayPal? Does the client have a merchant account with their bank?

 

[nsdesign]

Sending CC details via email (encrypted or not) can be dangerous... and most likely will contravene the bank's terms etc...

One method we've used in the past (as a "half way measure") when the client was determined NOT to use a Payment Provider, was to "split" the CC number in 2 - sending half by email, and half stored in the secure access database.

Only when the 2 were put together (using a link in the email, and then logging in) were the full details ever shown. After processing the order, a simple script was used to remove the CC details from the database.

As far as I can remember (although we were only going by the clients word) this was a suitable solution for his merchant account providers.

Hope this helps
Gary

 

[jeremybrown]

Well we have tried to encourage them to go down that route (protx or paypal) but they appear to be worried that taking orders over the Internet is not going to be a success so they are trying to keep costs to a minimum. I don't know who their merchant account is with.

Thanks for your help

J

 

[HC-Martin]

So how are they going to take orders? Do they have a terminal then?

 

[Erlen]

If you really need to go that way, you need to use GnuPG (see: gnupg.org) to encrypt the information on the server side. As you will keep the private key on your client system, completely disconnected from the server, it means that the CC number will be in safe hands.

Still, you will have then the problem to handle the CC numbers on the system of your client and here, with all the viruses and troyens you can find on windows systems, I would not have peace of mind.

Best regards,
Erlen

 

[Optegris]

If you really need to go that way, you need to use GnuPG (see: gnupg.org) to encrypt the information on the server side. As you will keep the private key on your client system, completely disconnected from the server, it means that the CC number will be in safe hands.

Still, you will have then the problem to handle the CC numbers on the system of your client and here, with all the viruses and troyens you can find on windows systems, I would not have peace of mind.

Best regards,
Erlen

Please don't even think about doing this, although PGP encryption is pretty good, you are still going to be contravening the merchant accounts rules!

If they are worried about paying £20/month to Protx to handle all this for them and take away the security headache then maybe they should not be selling online?

Seriously, if it doesn't work out they can drop Protx giving them notice...

 

[Erlen]

I said "if you really need"... I do not know what are the merchant account rules, I am just providing a technically correct approach. But it is true, the first thing to do is go through Protx or a dedicated gateway.

What is sure is that I would personally not buy in a shop handling CC# that way, but I prefer to give a good technical solution instead them going with a crappy approach and putting all their customers at risk.

Erlen

 

[Optegris]

Yep I know Erlen, I didn't word my post very well

I just get really worried when I see people even contemplating this