Menu
News
All News
Dungeons & Dragons
Level Up: Advanced 5th Edition
Pathfinder
Starfinder
Warhammer
2d20 System
Year Zero Engine
Industry News
Reviews
Dragon Reflections
White Dwarf Reflections
Columns
Weekly Digests
Weekly News Digest
Freebies, Sales & Bundles
RPG Print News
RPG Crowdfunding News
Game Content
ENterplanetary DimENsions
Mythological Figures
Opinion
Worlds of Design
Peregrine's Nest
RPG Evolution
Other Columns
From the Freelancing Frontline
Monster ENcyclopedia
WotC/TSR Alumni Look Back
4 Hours w/RSD (Ryan Dancey)
The Road to 3E (Jonathan Tweet)
Greenwood's Realms (Ed Greenwood)
Drawmij's TSR (Jim Ward)
Community
Forums & Topics
Forum List
Latest Posts
Forum list
*Dungeons & Dragons
Level Up: Advanced 5th Edition
D&D Older Editions, OSR, & D&D Variants
*TTRPGs General
*Pathfinder & Starfinder
EN Publishing
*Geek Talk & Media
Search forums
Chat/Discord
Resources
Wiki
Pages
Latest activity
Media
New media
New comments
Search media
Downloads
Latest reviews
Search resources
EN Publishing
Store
EN5ider
Adventures in ZEITGEIST
Awfully Cheerful Engine
What's OLD is NEW
Judge Dredd & The Worlds Of 2000AD
War of the Burning Sky
Level Up: Advanced 5E
Events & Releases
Upcoming Events
Private Events
Featured Events
Socials!
EN Publishing
Twitter
BlueSky
Facebook
Instagram
EN World
BlueSky
YouTube
Facebook
Twitter
Twitch
Podcast
Features
Top 5 RPGs Compiled Charts 2004-Present
Adventure Game Industry Market Research Summary (RPGs) V1.0
Ryan Dancey: Acquiring TSR
Q&A With Gary Gygax
D&D Rules FAQs
TSR, WotC, & Paizo: A Comparative History
D&D Pronunciation Guide
Million Dollar TTRPG Kickstarters
Tabletop RPG Podcast Hall of Fame
Eric Noah's Unofficial D&D 3rd Edition News
D&D in the Mainstream
D&D & RPG History
About Morrus
Log in
Register
What's new
Search
Search
Search titles only
By:
Forums & Topics
Forum List
Latest Posts
Forum list
*Dungeons & Dragons
Level Up: Advanced 5th Edition
D&D Older Editions, OSR, & D&D Variants
*TTRPGs General
*Pathfinder & Starfinder
EN Publishing
*Geek Talk & Media
Search forums
Chat/Discord
Menu
Log in
Register
Install the app
Install
Upgrade your account to a Community Supporter account and remove most of the site ads.
Community
General Tabletop Discussion
*TTRPGs General
Rpgnow creditcard information stolen
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Michael Morris" data-source="post: 3266410" data-attributes="member: 87"><p>Let me clear up a few things about how payment gateways are normally set up.</p><p></p><p>1) OSCommerce and most all PHP platforms do not encrypt the CC information they are handling because they rely on Apache Webserver to do this task using SSL encryption. The webaddress on the page that takes the credit card information should start with https. If it doesn't DO NOT USE THAT MERCHANT because that is a clear sign they do not know what the hell they are doing when it comes to security.</p><p></p><p>2) Once the webform gathers the credit card info in must rely it to a payment processing agent. Paypal is one such agent, for better or worse. My company sets up it's clients with Verus. The server sends the information again over an SSL connection to the payment processor and will get a response code back from that agent of approved, declined, etc. This response is very brief but it's the same kind of response given by the little credit card readers.</p><p></p><p>3) PCI DSS has express guidelines for the storage of credit cards. A merchant who stores credit cards without that certification can lose his merchant account with Visa, Mastercard and Discovery even if he hasn't been hacked. It was first mentioned back in <a href="https://www.enworld.org/index.php?posts/3264111/" target="_blank">this post of the thread</a>. The fines I mentioned are for those who haven't signed onto that standard and are the pertinent ones.</p><p></p><p>4) There is no reason to store an entire credit card number, but you can't encrypt it within the PHP code either because you have to extract it. PHP's internal encryption - md5, sha and one other are all one way processes. Here at ENWorld (or any vbulletin site) if you submit a password a javascript algorythm encrypts it before transfer. Once recieved a randomly determined salt string is added to the has and it all gets hashed AGAIN. md5 hashing is a one way process, there's no way to go back and figure out the password string used to determine the hash. It is for this reason recovery of passwords on this server is impossible - we can however reset the password to something else.</p><p></p><p>5) Typically this is what an online merchant should do with your card. The information is passed to the computer over an SSL encrypted connection (or an https address). The information is relayed to a payment gateway which then gives a response consisting of an approval code, and a reference code. The program then should store those at least two codes in the database for accounting reasons (they cannot be used to discover the credit card number). In addition I typically store a transaction number, customer number, serialized array of product number purchased, total amount of the transaction and the last 4 digits of the card used for the transaction (Not the entire card number). All this information is useful to the accounting office of the company but it is useless to a hacker out to steal.</p></blockquote><p></p>
[QUOTE="Michael Morris, post: 3266410, member: 87"] Let me clear up a few things about how payment gateways are normally set up. 1) OSCommerce and most all PHP platforms do not encrypt the CC information they are handling because they rely on Apache Webserver to do this task using SSL encryption. The webaddress on the page that takes the credit card information should start with https. If it doesn't DO NOT USE THAT MERCHANT because that is a clear sign they do not know what the hell they are doing when it comes to security. 2) Once the webform gathers the credit card info in must rely it to a payment processing agent. Paypal is one such agent, for better or worse. My company sets up it's clients with Verus. The server sends the information again over an SSL connection to the payment processor and will get a response code back from that agent of approved, declined, etc. This response is very brief but it's the same kind of response given by the little credit card readers. 3) PCI DSS has express guidelines for the storage of credit cards. A merchant who stores credit cards without that certification can lose his merchant account with Visa, Mastercard and Discovery even if he hasn't been hacked. It was first mentioned back in [URL="https://www.enworld.org/index.php?posts/3264111/"]this post of the thread[/URL]. The fines I mentioned are for those who haven't signed onto that standard and are the pertinent ones. 4) There is no reason to store an entire credit card number, but you can't encrypt it within the PHP code either because you have to extract it. PHP's internal encryption - md5, sha and one other are all one way processes. Here at ENWorld (or any vbulletin site) if you submit a password a javascript algorythm encrypts it before transfer. Once recieved a randomly determined salt string is added to the has and it all gets hashed AGAIN. md5 hashing is a one way process, there's no way to go back and figure out the password string used to determine the hash. It is for this reason recovery of passwords on this server is impossible - we can however reset the password to something else. 5) Typically this is what an online merchant should do with your card. The information is passed to the computer over an SSL encrypted connection (or an https address). The information is relayed to a payment gateway which then gives a response consisting of an approval code, and a reference code. The program then should store those at least two codes in the database for accounting reasons (they cannot be used to discover the credit card number). In addition I typically store a transaction number, customer number, serialized array of product number purchased, total amount of the transaction and the last 4 digits of the card used for the transaction (Not the entire card number). All this information is useful to the accounting office of the company but it is useless to a hacker out to steal. [/QUOTE]
Insert quotes…
Verification
Post reply
Community
General Tabletop Discussion
*TTRPGs General
Rpgnow creditcard information stolen
Top
