[freeside-users] question about freeside credit card security
Ivan Kohler
ivan at 420.am
Wed Apr 5 14:11:47 PDT 2006
On Wed, Apr 05, 2006 at 08:51:33AM -0700, Richard Steinhoff wrote:
>
> Hello,
>
> I am part of a team looking at ISP billing software and freeside is very
> attractive to us for several reasons. However, one of our guys who, I
> believe is running a demo version, has come up with an issue that may be
> a deal breaker.
>
> If you could take a look at his statement below and let me know if it is
> correct or not, that will help us.
>
> thank you in advance.
>
> I took a look at the Freeside database schema, and found that it
> violates the credit card data protection rules by storing the CVC code
> in addition to the card number, exp. date, etc. in the customer record
> for customers who pay by charge card. This is what put Card Systems
> into bankruptcy.
This is incorrect. By default, Freeside only stores CVV codes in a
transient fashion (i.e. from the time they're captured until the time
they're first run). This is not in violation of the credit card
handling guidelines.
> It also requires that the entire customer record be
> encrypted, unless PostgreSQL can encrypt only selected columns in a
> table. I don't know anything about PostgreSQL's encryption capabilities
> or lack thereof.
This is also incorrect. Selected fields within the customer record can
be encrypted by Freeside; typically credit card information. This is
handled by Freeisde, not PostgreSQL.
--
_ivan
More information about the freeside-users
mailing list