Firewall Wizards mailing list archives
RE: secure infrastructure question
From: "Carl Friedberg" <friedberg () exs esb com>
Date: Wed, 23 Apr 2003 10:55:41 -0400
I was also tempted to make a business (rather than FW Ideology-based) reply, so here it is: if the renewals are annual (or thereabouts), this doesn't make sense. Most credit cards expire in 2 or 3 years, so you will have to update customer information anyway. If this is monthly, or weekly, then it makes sense. I would not want to be responsible for customer credit card information unless there was a significant business payback. I must say I was shocked when I get a renewal "reminder" from Consumer Reports website (of all places). They had saved my credit card information, and apparently I hadn't read the fine print carefully enough; the renewal was automatic, based on the saved credit card info. I was so mad, I cancelled it. Then, they came back and offered me the renewal at 1/2 off. Grrrr End of silliness totally off topic... Carl -----Original Message----- From: Ahmed, Balal [mailto:balal.ahmed () cgey com] Sent: Wednesday, April 23, 2003 7:47 AM To: 'm p'; Alan R. Young; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] secure infrastructure question rather than go through the pains of writting your own web application / Database, encrypting the CC data, penetration testing the application, insuring against fraud and data loss, configuring DMZ's / layered architecture........etc etc etc. Why not hyperlink of to one of the many CC clearing buerau services that provide this functionality at a fraction of the cost and effort it will take you to set this up? I have seen large B2B and B2C platforms do this to transfer responsibility, and to a certain extent, risk on to a specialist third party. -----Original Message----- From: m p [mailto:sumirati () yahoo de] Sent: 23 April 2003 01:05 To: Alan R. Young; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] secure infrastructure question --- "Alan R. Young" <aryoung () veros com> schrieb: > Hello All
I am looking for ideas and references. I want to set up a membership-based web site, where the members can leave their credit card on file with us, and after they use up their account balance, they can renew their membership using the credit card that we have on file. So how do you build a secure web infrastructure that would maximize the safety of the customers' credit cards accounts? What type of firewalls/etc would I need?
Firewalls? What for? You are asking for a complete setup. That is not a question for "what firewall vendor do you advise". Ok, so I will do a part of your work: You have your application running on the outside. There you send a message to a system in a private DMZ which has the accounting database _without_ the credit card numbers. Only the amount of time/money is stored there. And perhaps the last/first 5 digits of the CCN plus the issuer and the experation date. If the customer wants to renew his membership you will only display him those digits and perhaps the issuer and ask him if he wants to reuse that card. The CCNs will _only_ be stored in your heavy secured internal network and while in transit on the outside systems after the customer has entered it and before the inside system has polled them. That is a design and not a firewall question. Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Bis zu 100 MB Speicher bei http://premiummail.yahoo.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards ************************************************************************ ******************** " This message contains information that may be privileged or confidential and is the property of the Cap Gemini Ernst & Young Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message ". ************************************************************************ ******************** _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- secure infrastructure question Alan R. Young (Apr 22)
- Re: secure infrastructure question m p (Apr 22)
- <Possible follow-ups>
- RE: secure infrastructure question Ahmed, Balal (Apr 23)
- RE: secure infrastructure question Carl Friedberg (Apr 23)