[Zope] Re: [ZCommerce] Secure storage of credit card info

Bill Anderson bill@libc.org
Thu, 08 Jun 2000 18:58:37 -0600


"R. David Murray" wrote:
> 
> OK, any of you out there who have thought about ecommerce, cryptography,
> and zope, I've got a design question for you.  Actually, this question
> is independent of zope, but I need to solve it in a zope context.
> 
> You have a ZCommerce site.  You accept credit cards, and securely
> communicate with a CC processor to verify the transacton.  Now,
> you want to save the CC# and other info in case something needs
> to be done with it later, and probably store the CC# so this
> customer doesn't have to type it in again later.  Regardless
> of whether you are storing this info in a relational database
> or in the ZODB, how do you secure that information? 

Step one, prepare for a fight with Amazon <0.5 wink>

Personally, I would store the actual data on a seperate server, not
accessible to the public.

 When you need to place the order/verify funds/etc, your ZopeApp talks
to the private server, which returns either the data needed, or a yes or
no result. I prefer the latter, since the actual processing with the CC
clearinghouse can be done from there, thus largeley eliminating the
threat (though not destroying it entirely of couse) at the webserver.