[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 290
  • Last Modified:

SSL / encryption of information

I am developing an e-commerce site for a client.  The client accepts credit cards but for accounting purposes does NOT want to process the credit card through a payment gateway.  Instead, when a website visitor makes a purchase, the credit card number should be entered into a form on the site and the purchase information emailed to the Orders Processing tech.

NO NEED TO ARGUE:  I'VE MENTIONED THIS PARTIALLY ON THIS FORUM AND I HAVE TALKED WITH THEM AT LENGTH ABOUT POTENTIAL RISKS.

The site will be hosted with a major hosting company that provides e-commerce hosting (ColdFusion /  IIS platform).



QUESTIONS:
Will having an SSL Certificate give me the ability to encrypt credit card information to the server and through the email to the Orders Processing tech?  I am using an add on shopping cart, Cartweaver, but again, no payment gateway, no merchant.  It is being processed over the phone.

Is it feasible or likely that the host would encrpyt anything coming to the client?

Since I'm still hoping to talk them out of this method, I'm gathering what I can from reputable online sources about this type of transaction, such as an article from Better Business Bureau.  Can't find alot.  Any links also appreciated.

Thank you!
0
texastwostep
Asked:
texastwostep
  • 2
1 Solution
 
jhanceCommented:
No, the SSL cert will only enable you to do HTTPS (which, of course, you DO want to do).  But I'd recommend that you encrypt the sensitive information in a script PRIOR to sending it in an email.

Several encryption options are available but I'd recommend RSA.  Encrypt with the public key in the script, decrypt at the destination with the private key.
0
 
purfusCommented:
Ok, question number 1.  What company is this?  I just want to be sure not to give them my credit card number

And jhence is correct, however, you will need to have an application of some sort on the company's end to decrypt the emails they recieve from the web server.
0
 
purfusCommented:
Oh and another piece of advice.  Whatever system will be recieving the emails with the credit card numbers, be damn sure to keep it very clean and free of malware.  There is malware out there that will redirect internet communications through other servers with the intention of exploiting all the communications.  They are rare but they do exist and if someone were to get their malware into the computer recieving those emails they would gain the ability to, through simple packet sniffing, grab all the emails and start to notice they are filled with credit card numbers to play with.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now