[freeside-users] question about freeside credit card security

Richard Steinhoff rich.steinhoff at TERRAN3.NET
Wed Apr 5 13:01:51 PDT 2006


Thank you for quick reply....

Rich Steinhoff
General Manager
Terran 3 Networks, Inc. (T3NI)
PO Box 2264
Shallotte, NC  28459-2264
(910) 200-0400
rich.steinhoff at terran3.net

--- gjpc at OB1Net.net wrote:

From: "Gerard J. Cerchio" <gjpc at OB1Net.net>
To: Freeside users mailing list <freeside-users at sisd.com>
Subject: Re: [freeside-users] question about freeside credit card security
Date: Wed, 05 Apr 2006 11:43:28 -0700

Hello Richard,

We never enter the CVC code into the Freeside database.  This allows us 
to comply with the CVC restriction.  CVC is not required for authorization.

I am unaware of the cryptographic requirement but if this is the law I 
would simply move the database to an encrypted volume. I am sure that 
would meet your encryption requirement without any changes to Freeside 
at all. If you wish to add encryption internal to Freeside refer to 
http://www.postgresql.org/docs/8.1/interactive/encryption-options.html 
and please publish your patches for all to share.

I have found Freeside reliable, easy to use and the perfect solution for 
our WISP. Another advantage of Freeside is that there is no "deal". You 
use it or decide not to use it.

Regards,
Gerard Cerchio

Richard Steinhoff wrote:
> Hello,
>
> I am part of a team looking at ISP billing software and freeside is very 
> attractive to us for several reasons.  However, one of our guys who, I 
> believe is running a demo version, has come up with an issue that may be 
> a deal breaker.
>
> If you could take a look at his statement below and let me know if it is 
> correct or not, that will help us. 
>
> thank you in advance.
>
> I took a look at the Freeside database schema, and found that it 
> violates the credit card data protection rules by storing the CVC code 
> in addition to the card number, exp. date, etc. in the customer record 
> for customers who pay by charge card.  This is what put Card Systems 
> into bankruptcy.  It also requires that the entire customer record be 
> encrypted, unless PostgreSQL can encrypt only selected columns in a 
> table.  I don't know anything about PostgreSQL's encryption capabilities 
> or lack thereof.
>
>
>
>
>
> Rich Steinhoff
> General Manager
> Terran 3 Networks, Inc. (T3NI)
> PO Box 2264
> Shallotte, NC  28459-2264
> (910) 200-0400
> rich.steinhoff at terran3.net
>
> _______________________________________________
> freeside-users mailing list
> freeside-users at sisd.com
> http://420.am/cgi-bin/mailman/listinfo/freeside-users
>
>
>   
_______________________________________________
freeside-users mailing list
freeside-users at sisd.com
http://420.am/cgi-bin/mailman/listinfo/freeside-users



More information about the freeside-users mailing list