Discussion in 'eCommerce' started by Endivo, Apr 16, 2016.
I would outsource the CC stuff nothing in your own database.
Who in the world maintain CCs in the database. You do that only if you are big and have a dedicated security dev/tech.
Just because an information system/eCommerce platform doesn't store credit cards in your database doesn't mean there are not alternative means of obtaining that information from your information system. That very same system still collects credit card information. It still has to pass through your information system even though it isn't stored in your information system or database.
You should be able to do the same as paypal you forward the amount to the payment gate en handle it off site, when done the payment gate sends you a oke.
Not everyone likes PayPal
I did not say use paypal but use a system like paypal only send what is needed to payment gate and they handle the payment. This way you have nothing in your database only if they have payed or not. Sites these days do not have to collect payment info they can outsource this to a payment gate way. Paypal, Due, Stripe, Payline Data, Square and Adyen for example are payment processing companies pick one that you like.
While I'm not familiar with the entire list of payment processors on your list, the point still remains that we are still collecting and transmitting that information.
For example, retail and online stores are generally not permitted to save and store complete credit card numbers. However, when we swipe our credit cards, these stores collect the credit card number data and send it along the way with the appropriate charges.
Attackers figured that out and so what they do? They infect the point of sale machine - the credit card reader - with memory scraping malware. This way it collects the data and passes the credit card information from RAM onwards to the attacker.
A similar process can be done here as well. Attack the application, infect it with malware, or something to scrap the text off your inputs, and they can collect credit card information.
If you have a good payment processor you are taken to a secure site of the payment processor the store sends the amount people need to pay. The payment processor sends either accepted or canceled i presume that this is coded in a hash so you'll know its legit or not. So me as store does not even have to know anything other then shipping address. Why should i need CC info i have the transaction id same as customer. Why should i want to know the CC info as store if i collect does and something happens i get the blame and the bill.
As for in the store self they do not collect CC info only transmit it the onlything is that they need to protect the transmitter from being hijacked so everyday someone that is trained need to look at it. But nothing will ever be 100% secured you can get high but never 100%.
Shopify has been hacked more than once, as have other hosted stores. Using self-hosted software is not secure or insecure. Keeping up to date with patches, following proper security measures, etc., many businesses are very successful with them.
Plus you don't pay the higher credit card fees many of the hosted solutions charge.
Afaik, Stripe only accepts payments via API?
Plus stop worrying only about data at rest. Data in motion is a huge concern too.
Shopify may have been breached, but they also have dedicated teams charged with that investigation of identifying the breach and closing it up. Not all of us have the digital forensic/incident response skill set or the funds to pay a consultant like myself with that skill set.
The data in motion in those cases is between the payment processor and the user, the credit card info is never transmitted to the store, through the store's connection, etc.
There are services such as Sucuri.net for scanning (which includes outdated software), and free response/cleanup if the site been hacked after you start using their services.
The fact is there are a great many companies who have run self-hosted stores for a long time with great success. Third parties are appropriate for some, but not all of my clients (one of my clients even refused to move from the self-hosted software when I told them I thought a small self-hosted setup was more appropriate for their situation).
There is no one size fits all.
Yes same as paypal the API is enough you generate a token that is stored in the database (not the CC info) with the token you ask Stripe to start checking and charging the card. When done you get info back that info you store for if something is wrong the token you dont need any more so that can be deleted.
Like i said nothing what you try to build nothing is 100% secure, but the less you keep in your database the better it is.
There's also an embeddable form that works with their API:
I will go with the Prestashop. I am using Prestashop since 2009 for my embroidery store and happy with it. It is very easy to install and modify.