Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: Customer financial data stored on Web-connected Windows Server!

begin  oe_protect.scr 
sfletcher@xxxxxxxx <sfletcher@xxxxxxxx> espoused:
> 
> Mark Kent wrote:
>> Yup, I've found another one, here it is:
>>
>> 	http://www.dabs.com/HomePage.aspx
>>
>> They actually store credit-card details from those who will allow it on
>> this site.  I've looked right through, and they /really do/ have the
>> financial stuff on a Windows machine.
> 
> 
> No customer credit card data at Dabs is stored on a "web-connected
> windows machine" as you suggested. Customer data is stored on our
> in-house, back-end application which does not run on a Windows
> platform. 

Good - perhaps your site should say so?  

> When saving new cards online, the customer's data is passed
> from the website directly to the back-end app. These details are never
> ever stored on a web-connected Windows machine.

What if the webserver machine is compromised?  It looks to me like it
would be an easy matter to grab every set of credit card info as it came
in?

> 
> For customer-facing transactions (when the web servers request card
> information from the back-end application), the application will only
> ever respond with the first and last few digits of the card number - so
> even if someone could see the traffic between the back-end application
> and our webserver, they'd still only be able to see part of the credit
> card data.

And if the webserver machine itself is compromised, what then?

> 
> I'm also unsure as to what relevance this thread has to do with Linux
> advocacy - it looks more like MS bashing to me! :-)

Really?  I thought it looked more like dabs bashing.  I must've misread
something I wrote :-)  

-- 
| Mark Kent   --   mark at ellandroad dot demon dot co dot uk  |
In order to get a loan you must first prove you don't need it.

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index