Firewall Wizards mailing list archives

RE: secure infrastructure question

From: "Carl Friedberg" <friedberg () exs esb com>
Date: Wed, 23 Apr 2003 10:55:41 -0400

I was also tempted to make a business (rather than FW Ideology-based)
reply, so here it is: if the renewals are annual (or thereabouts), this
doesn't make sense. Most credit cards expire in 2 or 3 years, so you
will have to update customer information anyway. If this is monthly, or
weekly, then it makes sense. I would not want to be responsible for
customer credit card information unless there was a significant business
payback.

I must say I was shocked when I get a renewal "reminder" from Consumer
Reports website (of all places). They had saved my credit card
information, and apparently I hadn't read the fine print carefully
enough; the renewal was automatic, based on the saved credit card info.
I was so mad, I cancelled it. Then, they came back and offered me the
renewal at 1/2 off. Grrrr

End of silliness totally off topic...

Carl

-----Original Message-----
From: Ahmed, Balal [mailto:balal.ahmed () cgey com] 
Sent: Wednesday, April 23, 2003 7:47 AM
To: 'm p'; Alan R. Young; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] secure infrastructure question


rather than go through the pains of writting your own web application /
Database, encrypting the CC data, penetration testing  the application,
insuring against fraud and data loss, configuring DMZ's / layered
architecture........etc etc etc.

Why not hyperlink of to one of the many CC clearing buerau services that
provide this functionality at a fraction of the cost and effort it will
take you to set this up? I have seen large B2B and B2C platforms do this
to transfer responsibility, and to a certain extent, risk on to a
specialist third party.


-----Original Message-----
From: m p [mailto:sumirati () yahoo de]
Sent: 23 April 2003 01:05
To: Alan R. Young; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] secure infrastructure question


 --- "Alan R. Young" <aryoung () veros com> schrieb: >
Hello All


I am looking for ideas and references.

I want to set up a membership-based web site, where
the members can
leave their credit card on file with us, and after
they use up their
account balance, they can renew their membership
using the credit card
that we have on file.

So how do you build a secure web infrastructure that
would maximize the
safety of the customers' credit cards accounts? What
type of
firewalls/etc would I need?


Firewalls? What for? You are asking for a complete
setup. That is not a question for "what firewall
vendor do you advise".

Ok, so I will do a part of your work:

You have your application running on the outside.
There you send a message to a system in a private DMZ
which has the accounting database _without_ the credit
card numbers. Only the amount of time/money is stored
there.  And perhaps the last/first 5 digits of the CCN
plus the issuer and the experation date.

If the customer wants to renew his membership you will
only display him those digits and perhaps the issuer
and ask him if he wants to reuse that card.

The CCNs will _only_  be stored in your heavy secured
internal network and while in transit on the outside
systems after the customer has entered it and before
the inside system has polled them.

That is a design and not a firewall question.

Marc


__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Bis zu 100 MB Speicher bei http://premiummail.yahoo.de
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


************************************************************************
********************
" This message contains information that may be privileged or
confidential and 
is the property of the Cap Gemini Ernst & Young Group. It is intended
only for 
the person to whom it is addressed. If you are not the intended
recipient, you 
are not authorized to read, print, retain, copy, disseminate,
distribute, or use 
this message or any part thereof. If you receive this message in error,
please 
notify the sender immediately and delete all copies of this message ".
************************************************************************
********************

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

secure infrastructure question Alan R. Young (Apr 22)
- Re: secure infrastructure question m p (Apr 22)
- <Possible follow-ups>
- RE: secure infrastructure question Ahmed, Balal (Apr 23)
- RE: secure infrastructure question Carl Friedberg (Apr 23)