1
Photography/Video/Movies & TV / Re: The Expanse
« Last post by micah on Today at 02:41:28 AM »I'm 3 4 episodes in to season 1. Liking it so far. Anyone else watch it?
Recent Posts
2
Programming / Re: PCI Question
« Last post by micah on Today at 12:23:56 AM »For what its worth, (and I can imagine it might be a tough sell to some clients) but he might be better served using Stripe for online transactions (separate from his Comerica account) and then just setup Stripe to disperse funds to his other account on a rolling basis. Makes the programming way easier for you (and thus cost effective for him) and greatly limits his (and your) liability. Not to mention, many traditional card merchants charge hefty fees (both for setup and recurring monthly usage) for payment gateways.
3
Programming / Re: PCI Question
« Last post by ober on December 12, 2019, 10:06:47 PM »I don't have a 3rd party system with him right now. I've used Sage (2 diff versions), Paypal, Stripe, and ... something else I can't remember. He uses Comerica Bank which claims to have merchant services so I probably just need to call them to see what they offer. I really don't like this project at all honestly. I mean it's not complicated as far as the concept but the risk is through the roof if not handled properly.
4
Programming / Re: PCI Question
« Last post by micah on December 12, 2019, 06:03:47 AM »What third party system are you using?
I know with Authorize.net and Stripe (the only two I've worked with other than basic paypal stuff...oh and a really shitty vendor named Payliance*) they allow you to (optionally) pre-auth a card and then store a token for that customer and charge at a future date.
For example: https://stripe.com/docs/saving-cards
So, like you're doing now, the actual PII and PCI-related data stays at the 3rd party and you just charge it later via API or their web-based dashboard (if the gateway provider has one)
*edit: I just remembered, payliance was for ACH transactions and did NOT store data, in that case I encrypted the account number in the database. I never had a security or compliance audit so maybe I didn't do it 100% correct but, it was a secure encryption method and the database was on a different server than the decryption key.
I know with Authorize.net and Stripe (the only two I've worked with other than basic paypal stuff...oh and a really shitty vendor named Payliance*) they allow you to (optionally) pre-auth a card and then store a token for that customer and charge at a future date.
For example: https://stripe.com/docs/saving-cards
So, like you're doing now, the actual PII and PCI-related data stays at the 3rd party and you just charge it later via API or their web-based dashboard (if the gateway provider has one)
*edit: I just remembered, payliance was for ACH transactions and did NOT store data, in that case I encrypted the account number in the database. I never had a security or compliance audit so maybe I didn't do it 100% correct but, it was a secure encryption method and the database was on a different server than the decryption key.
5
Programming / Re: PCI Question
« Last post by KnuckleBuckett on December 12, 2019, 05:34:37 AM »Tell him 3rd party.
6
Programming / Re: PCI Question
« Last post by Mike on December 12, 2019, 12:34:01 AM »I feel ya. We looked at CC processing earlier in the year and quickly realized we don't want to do it ourselves and do want to use a third party.
I really feel like there is a 3rd party processor that can do this. Entering the details at order time but not billing until shipping is super common.
From the bit I remember you basically want to separate out your web server from your processing server. They should at least be separate VMs. The processing server should be encrypted at rest. The rest I don't quite remember.
Honestly, this is an area that I wouldn't touch. Too much potential for things to go wrong and a ton of civil liabilities.
I really feel like there is a 3rd party processor that can do this. Entering the details at order time but not billing until shipping is super common.
From the bit I remember you basically want to separate out your web server from your processing server. They should at least be separate VMs. The processing server should be encrypted at rest. The rest I don't quite remember.
Honestly, this is an area that I wouldn't touch. Too much potential for things to go wrong and a ton of civil liabilities.
7
Programming / PCI Question
« Last post by ober on December 11, 2019, 09:48:50 PM »So I have a client that has proprietary pricing. He wants to have a secure page where people can respond to a quote that he sent out with modifications where they provide their CC info for future processing (sometimes they don't ship an order for 2 weeks because a lot of the work is custom and they don't charge until they ship). The collection is all easy and fine. Done that a bunch of times. My issue is passing the CC info off to him. I've only dealt with passing the CC off to a 3rd party where they process the payment and the CC info is gone. I need to somehow securely get it to him and store it until he processes the payment.
That scares the shit out of me from a PCI compliance standpoint. In an ideal world I would pass the CC off to a 3rd party to verify the card details and have THEM hold the information until payment is processed. But I'm not even sure that is an option. The last thing I want to do is just hold the information in a database somewhere and that gets hacked and he and I both go to jail. I mean worst case I would only hold it until the payment is processed but still I don't like it.
Thoughts?
That scares the shit out of me from a PCI compliance standpoint. In an ideal world I would pass the CC off to a 3rd party to verify the card details and have THEM hold the information until payment is processed. But I'm not even sure that is an option. The last thing I want to do is just hold the information in a database somewhere and that gets hacked and he and I both go to jail. I mean worst case I would only hold it until the payment is processed but still I don't like it.
Thoughts?
8
Photography/Video/Movies & TV / Re: Jack Ryan S2
« Last post by micah on December 03, 2019, 11:13:17 PM »Just finished all 8 episodes. Wow. 10/10.
9
Photography/Video/Movies & TV / Re: Jack Ryan S2
« Last post by micah on December 03, 2019, 01:33:58 AM »On episode 3 now. it's been a while since I binged a series, this one is worth it for sure.
10
Photography/Video/Movies & TV / Re: The Expanse
« Last post by ethic on November 25, 2019, 06:36:59 PM »Season 4 coming in December. Woot