[OWASP-GUIDE] Anyone from a CC issuer / banking CC services here?
Andrew van der Stock
vanderaj at greebo.net
Thu Jun 3 10:33:43 EDT 2004
I wish to include something in the Guide on how to correctly deal with CC
storage and handling. I think the Guide is possibly missing something about
secret storage, which is something I think we all struggle with.
I usually push my clients towards the Visa Merchant Guidelines
(https://www.visa.com/_gds_mod/fb/merchants/gds/downloads.html ) but rarely
does that help people understand the real reasons behind why these
guidelines exist, nor are everyone I deal with merchants. For example, I've
done work for loyalty programs before, and I've found they really didn't
understand the risk despite their close relationship with their issuing
partner (who are Visa/MC part-owners).
I see a few paragraphs detailing:
* best practices for accepting CC payments
* why you don't store any CC numbers, ever. (Except when you have to,
and what to do if you have to.)
* Presenting a CC number safely to call centre staff, sending out to
customers via e-mail, logging, etc
* working with auth numbers
* handling reversals
* what to look for in a CC gateway provider
* Where to go for more information
Anyone from CC issuers / bank CC departments here who wants to work on this
quickly? More to the point, is there space for it to appear in 2.0?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-guide