[Previous] [Next] [Index]
[Thread]
Re: Credit Card Security
> From owner-www-security@ns2.rutgers.edu Thu Apr 20 00:51:44 1995
> Date: Wed, 19 Apr 1995 18:00:25 -0500
> To: www-security@ns1.rutgers.edu
> From: ksaxe@midwest.net (Kent Saxe)
> Subject: Credit Card Security
>
> I was wondering if you could reccomend a security program for a WWW site
> that will have credit card numbers entered in it. Please respond!
While we wait for the web community to agree on a bulletproof standard
(and for the holes in X and Unix and all of our LANs to be plugged as
well), here's an approach that I like:
The InfoSeek service (http://www.infoseek.com/Home) has a
telephone-based system for reporting credit card numbers. The user
dials an 800 number and is prompted to enter a credit card number on
the touch-tone pad; the system responds with a six-digit code which the
user then enters into a WWW form. The credit card number itself never
goes over the IP network. Assuming that the six-digit numbers are only
usable once, this setup should be pretty secure from network-based
attacks.
Naturally, this voids the convenience of not having to pick up the
phone in order to complete a transaction on the web; however, it still
offers the advantage of being available 24x7 without the expense of
human staffing.
I don't know whether InfoSeek put together the telephone-based system
themselves or contracted with an outside source. You might check with
them. Possibly they'd even license it.
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- Systems Programmer and RiceInfo Administrator, Rice University
-- 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
Follow-Ups:
References: