[freeside-users] question about freeside credit card security
Gerard J. Cerchio
gjpc at OB1Net.net
Wed Apr 5 15:18:46 PDT 2006
Hi Ivan,
Thanks for the corrections below. Is credit card encryption a recent
addition in the past year? I am running 1.5.0pre6 could I turn on
encryption on the credit cards so that my database dumps have the
encrypted credit card information in them?
Thanks,
Gerard
Ivan Kohler wrote:
> On Wed, Apr 05, 2006 at 08:51:33AM -0700, Richard Steinhoff wrote:
>
>> Hello,
>>
>> I am part of a team looking at ISP billing software and freeside is very
>> attractive to us for several reasons. However, one of our guys who, I
>> believe is running a demo version, has come up with an issue that may be
>> a deal breaker.
>>
>> If you could take a look at his statement below and let me know if it is
>> correct or not, that will help us.
>>
>> thank you in advance.
>>
>> I took a look at the Freeside database schema, and found that it
>> violates the credit card data protection rules by storing the CVC code
>> in addition to the card number, exp. date, etc. in the customer record
>> for customers who pay by charge card. This is what put Card Systems
>> into bankruptcy.
>>
>
> This is incorrect. By default, Freeside only stores CVV codes in a
> transient fashion (i.e. from the time they're captured until the time
> they're first run). This is not in violation of the credit card
> handling guidelines.
>
>
>> It also requires that the entire customer record be
>> encrypted, unless PostgreSQL can encrypt only selected columns in a
>> table. I don't know anything about PostgreSQL's encryption capabilities
>> or lack thereof.
>>
>
> This is also incorrect. Selected fields within the customer record can
> be encrypted by Freeside; typically credit card information. This is
> handled by Freeisde, not PostgreSQL.
>
>
More information about the freeside-users
mailing list