tags:

views:

154

answers:

5
+1  Q: 

How important is a secure certificate for internal credit card processing?

Where I work we have an ecommerce system on an intranet set up to process customer's credit cards. Currently when we charge a customer's credit card using Authorize.net we are not sending the credit card info to Authorize.net over a secure connection. Instead it goes over regular http. I'd like to get other opinions of how serious/negligent this is. Thanks.

EDIT: It looks like I'm wrong. I snooped around in the code and it looks like it's processing the credit card at https://secure.authorize.net. However, the web page where the credit card is entered is not secure. This is a different situation than I originally described. Sorry about that.

+6  A: 

This seems very negligent. There have been too many leaks of credit card information to allow this sort of behavior.

Even if the processing was handled internal to your intranet, and not being sent up to a 3rd party, I would recommend using secured connections. You don't want this to be accessible by anybody, even internal, non-authorized employees.

Reed Copsey  2009-04-11 19:44:05
+1  A: 

It's an absolute, unmitigated disaster. You should immediately (and I mean immediately) use at least transport level security (SSL/TLS) and if Authorize.net can set up for it, message level security as well.

JP Alioto  2009-04-11 20:02:43
+3  A: 

I'm confused. How are you sending plain HTTP requests to Authorize.net? Their transaction endpoints don't have HTTP versions - they'd be criminally negligent to permit that.

Now that you've edited, things are a bit clearer. Yes, it's still a security risk to have the intranet page be HTTP instead of HTTPS, but far less than what your question originally indicated (unencrypted transit of the public Internet).

As it's internal, you don't need a paid SSL certificate (if cost is the reason for avoiding HTTPS - I can't think of any other good reasons) - you should be able to use a self-signed one.

ceejayoz  2009-04-11 20:06:01
Good question. I do not work on this ecommerce system I've described. All I know is there is no secure certificate associated with this web site
SquidScareMe  2009-04-11 20:40:18
That's not the same thing.
Spencer Ruport  2009-04-11 20:51:47
You're correct. Please see my edit to my original posting. Thank you.
SquidScareMe  2009-04-11 21:30:37
+2  A: 

It's very important and what you do can cause some serious problems.

Also it's against PCI standards and every company who process credit card information has to follow PCI standards, therefore you might go into some legal trouble to do so.

dr. evil  2009-04-11 20:07:22
+1  A: 

I would recommend reading the OWASP guide: http://www.owasp.org/index.php/Category:OWASP_Guide_Project (Free download)

Page 53 and onwards .. Got some great information.

I would say, what you're doing is terrible negligent and needs to be sorted ASAP ..

cwap  2009-04-11 20:07:43

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security