Rails - Aug 2006 - Storing credit card information... sigh.

The client I''m doing work for is pretty set on wanting to store credit
card information so users can buy stuff without having to type in the
CC information all the time.  He knows that it''s a PITA to do right,
but wants it done anyways.

So, here''s my current thinking of it:

Two servers, the Rails db/app/web server and the CC secure server.  The
CC server only talks to authorize.net and the Rails server.

Public key stored on the Rails db server.  Order comes in with new CC
data.  The important stuff gets encrypted using the public key.  Rails
assigns some arbitrary id to the CC (for future reference) and
remembers the last 4 digits and expiry date of the CC.  Rails sends the
encrypted information (maybe using DRb) to the CC server.  The CC
server decrypts the information using its private key.  It sends a
request to authorize.net to authorize the payment.  The CC server
returns success or failure to the Rails server.  Then the order is
placed or declined.

If an order comes in and the customer wants to reuse a previously-used
CC, the Rails server sends a request to the CC server with the
remembered arbitrary id for the CC.

That sound reasonable?


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Just use TrustCommerce Citadel.  They get to worry about doing it  
right. :)

--
Building an e-commerce site with Rails?
http://www.agilewebdevelopment.com/rails-ecommerce


On Aug 30, 2006, at 2:28 PM, joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
wrote:
>
> The client I''m doing work for is pretty set on wanting to store
credit
> card information so users can buy stuff without having to type in the
> CC information all the time.  He knows that it''s a PITA to do
right,
> but wants it done anyways.
>
> So, here''s my current thinking of it:
>
> Two servers, the Rails db/app/web server and the CC secure server.   
> The
> CC server only talks to authorize.net and the Rails server.
>
> Public key stored on the Rails db server.  Order comes in with new CC
> data.  The important stuff gets encrypted using the public key.  Rails
> assigns some arbitrary id to the CC (for future reference) and
> remembers the last 4 digits and expiry date of the CC.  Rails sends  
> the
> encrypted information (maybe using DRb) to the CC server.  The CC
> server decrypts the information using its private key.  It sends a
> request to authorize.net to authorize the payment.  The CC server
> returns success or failure to the Rails server.  Then the order is
> placed or declined.
>
> If an order comes in and the customer wants to reuse a previously-used
> CC, the Rails server sends a request to the CC server with the
> remembered arbitrary id for the CC.
>
> That sound reasonable?
>
>
> >


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

I thouth it was illegal for vendors to hold on to customers credit card
details

On 8/31/06, Benjamin Curtis
<rails-4dtGyw5agdmakBO8gow8eQ@public.gmane.org>
wrote:
>
> Just use TrustCommerce Citadel.  They get to worry about doing it right.
> :)
>
> --
> Building an e-commerce site with Rails?
> http://www.agilewebdevelopment.com/rails-ecommerce
>
>
> On Aug 30, 2006, at 2:28 PM,
joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>
>
> The client I''m doing work for is pretty set on wanting to store
credit
> card information so users can buy stuff without having to type in the
> CC information all the time.  He knows that it''s a PITA to do
right,
> but wants it done anyways.
>
> So, here''s my current thinking of it:
>
> Two servers, the Rails db/app/web server and the CC secure server.  The
> CC server only talks to authorize.net and the Rails server.
>
> Public key stored on the Rails db server.  Order comes in with new CC
> data.  The important stuff gets encrypted using the public key.  Rails
> assigns some arbitrary id to the CC (for future reference) and
> remembers the last 4 digits and expiry date of the CC.  Rails sends the
> encrypted information (maybe using DRb) to the CC server.  The CC
> server decrypts the information using its private key.  It sends a
> request to authorize.net to authorize the payment.  The CC server
> returns success or failure to the Rails server.  Then the order is
> placed or declined.
>
> If an order comes in and the customer wants to reuse a previously-used
> CC, the Rails server sends a request to the CC server with the
> remembered arbitrary id for the CC.
>
> That sound reasonable?
>
>
>
> >
>

-- 

www.blogsaic.com
search, post, blog


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

It''s not illegal. You are simply liable.

Check the thread on PCI Certification which was spurred earlier this month.

-NSHB

On 8/30/06, Dion Hewson
<dionhewson-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> I thouth it was illegal for vendors to hold on to customers credit card
> details
>
>
> On 8/31/06, Benjamin Curtis
<rails-4dtGyw5agdmakBO8gow8eQ@public.gmane.org > wrote:
> >
> >
> > Just use TrustCommerce Citadel.  They get to worry about doing it
right.
> :)
> >
> >
> >
> >
> > --
> > Building an e-commerce site with Rails?
> > http://www.agilewebdevelopment.com/rails-ecommerce
> >
> >
> >
> >
> > On Aug 30, 2006, at 2:28 PM,
joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
> >
> >
> >
> >
> > The client I''m doing work for is pretty set on wanting to
store credit
> > card information so users can buy stuff without having to type in the
> > CC information all the time.  He knows that it''s a PITA to do
right,
> > but wants it done anyways.
> >
> >
> > So, here''s my current thinking of it:
> >
> >
> > Two servers, the Rails db/app/web server and the CC secure server.  
The
> > CC server only talks to authorize.net and the Rails server.
> >
> >
> > Public key stored on the Rails db server.  Order comes in with new CC
> > data.  The important stuff gets encrypted using the public key.  
Rails
> > assigns some arbitrary id to the CC (for future reference) and
> > remembers the last 4 digits and expiry date of the CC.  Rails sends
the
> > encrypted information (maybe using DRb) to the CC server.  The CC
> > server decrypts the information using its private key.  It sends a
> > request to authorize.net to authorize the payment.  The CC server
> > returns success or failure to the Rails server.  Then the order is
> > placed or declined.
> >
> >
> > If an order comes in and the customer wants to reuse a previously-used
> > CC, the Rails server sends a request to the CC server with the
> > remembered arbitrary id for the CC.
> >
> >
> > That sound reasonable?
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
> --
>
> www.blogsaic.com
> search, post, blog
>
>  >
>

-- 
Nathaniel Steven Henry Brown

Open Source Insight - http://nshb.net
Open Source Development - http://inimit.com
Open Source Training  - http://osevents.com

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

There are ways around storing local CC data.  With Verisign (aka Paypal) for
instance, you can store a nondescript transaction id (PNREF) and then use
that later when you need to recharge the same card.  All the CC data is kept
on Verisign''s servers, alleviating (most of) the liability off you.
I don''t know what vendor you''re using for CC processing, but
I''d bet that
most of the big players have a feature like this.  I personally, would never
store CC data unless I was absolutely forced to...that''s after
switching CC
vendors if necessary.

Ed


On 8/31/06, Nathaniel Brown <nshb-wgYSSEAWXinQT0dZR+AlfA@public.gmane.org>
wrote:
>
>
> It''s not illegal. You are simply liable.
>
> Check the thread on PCI Certification which was spurred earlier this
> month.
>
> -NSHB
>
> On 8/30/06, Dion Hewson
<dionhewson-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > I thouth it was illegal for vendors to hold on to customers credit
card
> > details
> >
> >
> > On 8/31/06, Benjamin Curtis
<rails-4dtGyw5agdmakBO8gow8eQ@public.gmane.org > wrote:
> > >
> > >
> > > Just use TrustCommerce Citadel.  They get to worry about doing it
> right.
> > :)
> > >
> > >
> > >
> > >
> > > --
> > > Building an e-commerce site with Rails?
> > > http://www.agilewebdevelopment.com/rails-ecommerce
> > >
> > >
> > >
> > >
> > > On Aug 30, 2006, at 2:28 PM,
joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
> > >
> > >
> > >
> > >
> > > The client I''m doing work for is pretty set on wanting
to store credit
> > > card information so users can buy stuff without having to type in
the
> > > CC information all the time.  He knows that it''s a PITA
to do right,
> > > but wants it done anyways.
> > >
> > >
> > > So, here''s my current thinking of it:
> > >
> > >
> > > Two servers, the Rails db/app/web server and the CC secure
server.
> The
> > > CC server only talks to authorize.net and the Rails server.
> > >
> > >
> > > Public key stored on the Rails db server.  Order comes in with
new CC
> > > data.  The important stuff gets encrypted using the public key.
> Rails
> > > assigns some arbitrary id to the CC (for future reference) and
> > > remembers the last 4 digits and expiry date of the CC.  Rails
sends
> the
> > > encrypted information (maybe using DRb) to the CC server.  The CC
> > > server decrypts the information using its private key.  It sends
a
> > > request to authorize.net to authorize the payment.  The CC server
> > > returns success or failure to the Rails server.  Then the order
is
> > > placed or declined.
> > >
> > >
> > > If an order comes in and the customer wants to reuse a
previously-used
> > > CC, the Rails server sends a request to the CC server with the
> > > remembered arbitrary id for the CC.
> > >
> > >
> > > That sound reasonable?
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> > --
> >
> > www.blogsaic.com
> > search, post, blog
> >
> >  >
> >
>
>
> --
> Nathaniel Steven Henry Brown
>
> Open Source Insight - http://nshb.net
> Open Source Development - http://inimit.com
> Open Source Training  - http://osevents.com
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

I believe that VISA has certain  guidelines a vender must follow in order to
be allowed to take that form of credit. MasterCard and others may as well.

+! for TrustCommerce Citadel.

This is *NOT* something I would want to do myself.

oh, and be sure to sanitize your logs for cc numbers as well.


On 8/31/06, Nathaniel Brown <nshb-wgYSSEAWXinQT0dZR+AlfA@public.gmane.org>
wrote:
>
>
> It''s not illegal. You are simply liable.
>
> Check the thread on PCI Certification which was spurred earlier this
> month.
>
> -NSHB
>
> On 8/30/06, Dion Hewson
<dionhewson-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > I thouth it was illegal for vendors to hold on to customers credit
card
> > details
> >
> >
> > On 8/31/06, Benjamin Curtis
<rails-4dtGyw5agdmakBO8gow8eQ@public.gmane.org > wrote:
> > >
> > >
> > > Just use TrustCommerce Citadel.  They get to worry about doing it
> right.
> > :)
> > >
> > >
> > >
> > >
> > > --
> > > Building an e-commerce site with Rails?
> > > http://www.agilewebdevelopment.com/rails-ecommerce
> > >
> > >
> > >
> > >
> > > On Aug 30, 2006, at 2:28 PM,
joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
> > >
> > >
> > >
> > >
> > > The client I''m doing work for is pretty set on wanting
to store credit
> > > card information so users can buy stuff without having to type in
the
> > > CC information all the time.  He knows that it''s a PITA
to do right,
> > > but wants it done anyways.
> > >
> > >
> > > So, here''s my current thinking of it:
> > >
> > >
> > > Two servers, the Rails db/app/web server and the CC secure
server.
> The
> > > CC server only talks to authorize.net and the Rails server.
> > >
> > >
> > > Public key stored on the Rails db server.  Order comes in with
new CC
> > > data.  The important stuff gets encrypted using the public key.
> Rails
> > > assigns some arbitrary id to the CC (for future reference) and
> > > remembers the last 4 digits and expiry date of the CC.  Rails
sends
> the
> > > encrypted information (maybe using DRb) to the CC server.  The CC
> > > server decrypts the information using its private key.  It sends
a
> > > request to authorize.net to authorize the payment.  The CC server
> > > returns success or failure to the Rails server.  Then the order
is
> > > placed or declined.
> > >
> > >
> > > If an order comes in and the customer wants to reuse a
previously-used
> > > CC, the Rails server sends a request to the CC server with the
> > > remembered arbitrary id for the CC.
> > >
> > >
> > > That sound reasonable?
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> > --
> >
> > www.blogsaic.com
> > search, post, blog
> >
> >  >
> >
>
>
> --
> Nathaniel Steven Henry Brown
>
> Open Source Insight - http://nshb.net
> Open Source Development - http://inimit.com
> Open Source Training  - http://osevents.com
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Benjamin Curtis wrote:
> Just use TrustCommerce Citadel.  They get to worry about doing it
> right. :)
Too expensive.

Joe
> On Aug 30, 2006, at 2:28 PM,
joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>
> >
> > The client I''m doing work for is pretty set on wanting to
store credit
> > card information so users can buy stuff without having to type in the
> > CC information all the time.  He knows that it''s a PITA to do
right,
> > but wants it done anyways.
> >
> > So, here''s my current thinking of it:
> >
> > Two servers, the Rails db/app/web server and the CC secure server.
> > The
> > CC server only talks to authorize.net and the Rails server.
> >
> > Public key stored on the Rails db server.  Order comes in with new CC
> > data.  The important stuff gets encrypted using the public key.  Rails
> > assigns some arbitrary id to the CC (for future reference) and
> > remembers the last 4 digits and expiry date of the CC.  Rails sends
> > the
> > encrypted information (maybe using DRb) to the CC server.  The CC
> > server decrypts the information using its private key.  It sends a
> > request to authorize.net to authorize the payment.  The CC server
> > returns success or failure to the Rails server.  Then the order is
> > placed or declined.
> >
> > If an order comes in and the customer wants to reuse a previously-used
> > CC, the Rails server sends a request to the CC server with the
> > remembered arbitrary id for the CC.
> >
> > That sound reasonable?
> >
> >
> > >
>
>
> --Apple-Mail-2-450497016
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> X-Google-AttachSize: 6281
>
> <HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode:
space; -khtml> -line-break: after-white-space; ">Just use
TrustCommerce Citadel.=A0 They g> et to worry about doing it right.
:)<DIV><BR><DIV> <SPAN class=3D"Apple-sty>
le-span" style=3D"border-collapse: separate; border-spacing: 0px 0px;
color> : rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style:
normal> ; font-variant: normal; font-weight: normal; letter-spacing: normal;
line-h> eight: normal; text-align: auto; -khtml-text-decorations-in-effect:
none; t> ext-indent: 0px; -apple-text-size-adjust: auto; text-transform:
none; orpha> ns: 2; white-space: normal; widows: 2; word-spacing: 0px;
"><SPAN class=3D"> Apple-style-span"
style=3D"border-collapse: separate; border-spacing: 0px 0> px; color:
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-styl> e: normal;
font-variant: normal; font-weight: normal; letter-spacing: norma> l;
line-height: normal; text-align: auto; -khtml-text-decorations-in-effect> :
none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: no>
ne; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px;
"><DIV>-> -</DIV><DIV>Building an e-commerce site
with Rails?</DIV><DIV><A href=3D"ht>
tp://www.agilewebdevelopment.com/rails-ecommerce">http://www.agilewebdevelo>
pment.com/rails-ecommerce</A></DIV><BR
class=3D"Apple-interchange-newline">> </SPAN></SPAN>
</DIV><BR><DIV><DIV>On Aug 30, 2006, at 2:28 PM, <A
href=3D">
mailto:joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org">joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org</A>
wrote:</DIV><BR
class=3D"Apple-interchange-newline"><BLOCKQUOTE
type=3D"cite"><DIV style=3D"marg> in-top: 0px;
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-h> eight: 14px;
"><BR></DIV><DIV style=3D"margin-top: 0px;
margin-right: 0px; > margin-bottom: 0px; margin-left: 0px; ">The
client I''m doing work for is pr> etty set on wanting to store
credit</DIV><DIV style=3D"margin-top: 0px; mar> gin-right: 0px;
margin-bottom: 0px; margin-left: 0px; ">card information so>  users
can buy stuff without having to type in the</DIV><DIV
style=3D"margi> n-top: 0px; margin-right: 0px; margin-bottom: 0px;
margin-left: 0px; ">CC i> nformation all the time.<SPAN
class=3D"Apple-converted-space">=A0 </SPAN>He>  knows that
it''s a PITA to do right,</DIV><DIV style=3D"margin-top:
0px; ma> rgin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">but
wants it done > anyways.</DIV><DIV style=3D"margin-top: 0px;
margin-right: 0px; margin-bott> om: 0px; margin-left: 0px; min-height: 14px;
"><BR></DIV><DIV style=3D"marg> in-top: 0px;
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">So,> 
here''s my current thinking of it:</DIV><DIV
style=3D"margin-top: 0px; marg> in-right: 0px; margin-bottom: 0px;
margin-left: 0px; min-height: 14px; "><B> R></DIV><DIV
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0p> x;
margin-left: 0px; ">Two servers, the Rails db/app/web server and the CC
> secure server.<SPAN class=3D"Apple-converted-space">=A0
</SPAN>The</DIV><DI> V style=3D"margin-top: 0px;
margin-right: 0px; margin-bottom: 0px; margin-l> eft: 0px; ">CC
server only talks to authorize.net and the Rails server.</DI> V><DIV
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; mar>
gin-left: 0px; min-height: 14px; "><BR></DIV><DIV
style=3D"margin-top: 0px;>  margin-right: 0px; margin-bottom: 0px;
margin-left: 0px; ">Public key stor> ed on the Rails db
server.<SPAN class=3D"Apple-converted-space">=A0
</SPAN>> Order comes in with new CC</DIV><DIV
style=3D"margin-top: 0px; margin-right> : 0px; margin-bottom: 0px;
margin-left: 0px; ">data.<SPAN class=3D"Apple-co>
nverted-space">=A0 </SPAN>The important stuff gets encrypted using
the publ> ic key.<SPAN class=3D"Apple-converted-space">=A0
</SPAN>Rails</DIV><DIV sty> le=3D"margin-top: 0px;
margin-right: 0px; margin-bottom: 0px; margin-left: > 0px; ">assigns
some arbitrary id to the CC (for future reference) and</DIV>> <DIV
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margi>
n-left: 0px; ">remembers the last 4 digits and expiry date of the
CC.<SPAN > class=3D"Apple-converted-space">=A0
</SPAN>Rails sends the</DIV><DIV style> =3D"margin-top:
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0p> x;
">encrypted information (maybe using DRb) to the CC server.<SPAN
class=3D"Apple-converted-space">=A0 </SPAN>The
CC</DIV><DIV style=3D"margin-top:>  0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px; ">server dec> rypts the
information using its private key.<SPAN class=3D"Apple-converted->
space">=A0 </SPAN>It sends a</DIV><DIV
style=3D"margin-top: 0px; margin-rig> ht: 0px; margin-bottom: 0px;
margin-left: 0px; ">request to authorize.net t> o authorize the
payment.<SPAN class=3D"Apple-converted-space">=A0
</SPAN>Th> e CC server</DIV><DIV style=3D"margin-top:
0px; margin-right: 0px; margin-b> ottom: 0px; margin-left: 0px;
">returns success or failure to the Rails ser> ver.<SPAN
class=3D"Apple-converted-space">=A0 </SPAN>Then the order
is</DIV> ><DIV style=3D"margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; marg> in-left: 0px; ">placed or
declined.</DIV><DIV style=3D"margin-top: 0px; mar> gin-right:
0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><>
BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px;
margin-bottom: 0> px; margin-left: 0px; ">If an order comes in and
the customer wants to reus> e a previously-used</DIV><DIV
style=3D"margin-top: 0px; margin-right: 0px; > margin-bottom: 0px;
margin-left: 0px; ">CC, the Rails server sends a reques> t to the CC
server with the</DIV><DIV style=3D"margin-top: 0px;
margin-righ> t: 0px; margin-bottom: 0px; margin-left: 0px;
">remembered arbitrary id for>  the CC.</DIV><DIV
style=3D"margin-top: 0px; margin-right: 0px; margin-bott> om: 0px;
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV
style=3D"marg> in-top: 0px; margin-right: 0px; margin-bottom: 0px;
margin-left: 0px; ">Tha> t sound reasonable?</DIV><DIV
style=3D"margin-top: 0px; margin-right: 0px; > margin-bottom: 0px;
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV
st> yle=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px;
margin-left:>  0px; min-height: 14px; "><BR></DIV><DIV
style=3D"margin-top: 0px; margin-r> ight: 0px; margin-bottom: 0px;
margin-left: 0px; ">

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Really? More than the cost of doing all the compliance yourself, not to
mention the countless hours you seem to be spending on this? That''s got
to
add up pretty darn quick.

> From: <joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Reply-To: <rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> Date: Thu, 31 Aug 2006 15:06:06 -0000
> To: "Ruby on Rails: Talk"
<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> Subject: [Rails] Re: Storing credit card information... sigh.
> 
> Benjamin Curtis wrote:
>> Just use TrustCommerce Citadel.  They get to worry about doing it
>> right. :)
> 
> Too expensive.
> 
> Joe


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

HH wrote:
> Really? More than the cost of doing all the compliance yourself, not to
> mention the countless hours you seem to be spending on this?
That''s got to
> add up pretty darn quick.
Yes.  We did the math.  I''ve probably only spent two or three hours on
this so far.

Joe
> > From: <joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> > Reply-To:
<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> > Date: Thu, 31 Aug 2006 15:06:06 -0000
> > To: "Ruby on Rails: Talk"
<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> > Subject: [Rails] Re: Storing credit card information... sigh.
> >
> > Benjamin Curtis wrote:
> >> Just use TrustCommerce Citadel.  They get to worry about doing it
> >> right. :)
> > 
> > Too expensive.
> > 
> > Joe

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Joe,

I''m going through some of what you are going through with one client.
Although he hasn''t made a final decision three things that are hard to
put a
price on is the peace of mind at night, the liability in case somebody gets
through and the time/money it takes to recover from such a blunder. Not even
considering the lost business for the bad publicity after like that
happens.  Agree this last point affects you if somebody hacks into Citadel
but it sure is a smaller hit if you are the culprit.

Just my .02c opinion,


Adrian Madrid

On 8/31/06, joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
<joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
>
> HH wrote:
> > Really? More than the cost of doing all the compliance yourself, not
to
> > mention the countless hours you seem to be spending on this?
That''s got
> to
> > add up pretty darn quick.
>
> Yes.  We did the math.  I''ve probably only spent two or three
hours on
> this so far.
>
> Joe
>
> > > From: <joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> > > Reply-To:
<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> > > Date: Thu, 31 Aug 2006 15:06:06 -0000
> > > To: "Ruby on Rails: Talk"
<rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> > > Subject: [Rails] Re: Storing credit card information... sigh.
> > >
> > > Benjamin Curtis wrote:
> > >> Just use TrustCommerce Citadel.  They get to worry about
doing it
> > >> right. :)
> > >
> > > Too expensive.
> > >
> > > Joe
>
>
> >
>

-- 
Adrian Esteban Madrid


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Adrian Madrid wrote:
> Joe,
>
> I''m going through some of what you are going through with one
client.
> Although he hasn''t made a final decision three things that are
hard to put a
> price on is the peace of mind at night, the liability in case somebody gets
> through and the time/money it takes to recover from such a blunder. Not
even
> considering the lost business for the bad publicity after like that
> happens.  Agree this last point affects you if somebody hacks into Citadel
> but it sure is a smaller hit if you are the culprit.
Thanks!

I''d appreciate it if someone could tell me if there''s anything
wrong
with my approach.  

Joe


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Make sure to check out this prior thread on the same topic, if you  
haven''t already:
http://wrath.rubyonrails.org/pipermail/rails/2006-August/060825.html

Cheers,
Steven Luscher (BDes Hons., Provisional RGD)
{
     c = Steven Luscher Design;
     w = http://www.stevenluscherdesign.com/
}


On 30-Aug-06, at 2:28 PM, joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
wrote:
>
> The client I''m doing work for is pretty set on wanting to store
credit
> card information so users can buy stuff without having to type in the
> CC information all the time.  He knows that it''s a PITA to do
right,
> but wants it done anyways.
>
> So, here''s my current thinking of it:
>
> Two servers, the Rails db/app/web server and the CC secure server.   
> The
> CC server only talks to authorize.net and the Rails server.
>
> Public key stored on the Rails db server.  Order comes in with new CC
> data.  The important stuff gets encrypted using the public key.  Rails
> assigns some arbitrary id to the CC (for future reference) and
> remembers the last 4 digits and expiry date of the CC.  Rails sends  
> the
> encrypted information (maybe using DRb) to the CC server.  The CC
> server decrypts the information using its private key.  It sends a
> request to authorize.net to authorize the payment.  The CC server
> returns success or failure to the Rails server.  Then the order is
> placed or declined.
>
> If an order comes in and the customer wants to reuse a previously-used
> CC, the Rails server sends a request to the CC server with the
> remembered arbitrary id for the CC.
>
> That sound reasonable?
>
>
> >


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Hi Joe,

not sure if it has already been posted somewhere, but be sure to read this:

http://blog.duncandavidson.com/2006/06/cautious_advice.html

cheers

Thibaut


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---