• Toll-free  888-665-8637
  • International  +1 717-220-0012
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error
Security
Options Go to last post Go to first unread
Previous Topic Next Topic
SStorhaug
#1 Posted : Friday, August 10, 2007 9:45:01 PM(UTC)
SStorhaug

Rank: Member

Joined: 11/20/2005(UTC)
Posts: 122
Up until last year, I used to work in the credit card industry. I noticed a couple things about your software and marketing that could help you, and I have a question about security in BVC5.


"CISP Compliance"



First of all, CISP (Visa's Cardholder Information Secuirty Policy) has been superceeded by PCI (Payment Card Industry Compliance). Since complying with Visa, Mastercard, American Express, and Discover meant 4 different audits with (possibly conflicting) rules, over 3 years ago the credit card giants joined their efforts to come up with a security policy that everyone could comply with using only 1 set of rules.



However, CISP and PCI basically cover the same things so we are just talking about semantics. It would probably help your marketing efforts if you advertised that you are compliant with the current standard, though.



Basically, the 3 main things an e-Tailer needs to consider are:



1. Payment information is stored in encrypted format (and BVC5 does this).

2. Payment information is transmitted in encrypted format (SSL handles this one)

3. CVV2 code is never stored (which BVC5 also supports)



For more information on PCI: http://www.internetsecurityguide.com/pci/pcicompliance.shtml



Credit Card Transmission:



There is one thing Microsoft came up with in .NET 2.0 that goes beyond complying with the credit card standards. There is now a datatype called SecureString that allows you to transmit sensitive information around in .NET. The main advantage of using it is once you have moved the sensitive data to its destination, you can call the Dispose() method on the object to instantly remove the sensitive information from memory. A regular string datatype will remain in memory on the computer it existed in until the .NET garbage collector removes it - which gives the more astute hackers the opportunity to capture it if they compromise the web server's memory.



Upon my analysis of your demo, I noticed that you are not using SecureString to move sensitive data around within BVC5.



Encryption Key Storage:



Just out of curiousity, how is the encryption key that is used to encrypt the credit card information stored in BVC5 and what specifically was done to keep it from being compromised?
dotNet guy

Exterior Wood Shutters
Folding Chairs & Tables
Marcus
#2 Posted : Saturday, August 11, 2007 10:17:20 AM(UTC)
Marcus

Rank: Member

Joined: 11/5/2003(UTC)
Posts: 1,786
dotnetguy,

It's clear that you have a lot of pre-sales questions. I think your questions could be better answered by calling our sales line at 877-306-7393.
[email protected]
#3 Posted : Saturday, August 11, 2007 10:21:14 AM(UTC)
bobn@laurastamm.net

Rank: Member

Joined: 6/6/2005(UTC)
Posts: 483
lol. I'm just guessing that not answering your last question might be one of the steps they take to keep the key from being compromised.

Bob Noble
MitchA
#4 Posted : Saturday, August 11, 2007 12:27:56 PM(UTC)
MitchA

Rank: Member

Joined: 3/3/2006(UTC)
Posts: 1,737
Sharp, Bob!!!

Yea, I'd like to have a piece of that too!!!
Optimists invent airplanes,
Pessimists buy parachutes.
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF | YAF © 2003-2025, Yet Another Forum.NET
©2025 Develisys. All rights reserved.
  • Toll-free  888-665-8637
  • International  +1 717-220-0012