[freeside-users] question about freeside credit card security

Gerard J. Cerchio gjpc at OB1Net.net
Wed Apr 5 15:18:46 PDT 2006


Hi Ivan,

Thanks for the corrections below. Is credit card encryption a recent 
addition in the past year?  I am running 1.5.0pre6 could I turn on 
encryption on the credit cards so that my database dumps have the 
encrypted credit card information in them?

Thanks,

Gerard

Ivan Kohler wrote:
> On Wed, Apr 05, 2006 at 08:51:33AM -0700, Richard Steinhoff wrote:
>   
>> Hello,
>>
>> I am part of a team looking at ISP billing software and freeside is very 
>> attractive to us for several reasons.  However, one of our guys who, I 
>> believe is running a demo version, has come up with an issue that may be 
>> a deal breaker.
>>
>> If you could take a look at his statement below and let me know if it is 
>> correct or not, that will help us. 
>>
>> thank you in advance.
>>
>> I took a look at the Freeside database schema, and found that it 
>> violates the credit card data protection rules by storing the CVC code 
>> in addition to the card number, exp. date, etc. in the customer record 
>> for customers who pay by charge card.  This is what put Card Systems 
>> into bankruptcy.
>>     
>
> This is incorrect.  By default, Freeside only stores CVV codes in a 
> transient fashion (i.e. from the time they're captured until the time 
> they're first run).  This is not in violation of the credit card 
> handling guidelines.
>
>   
>> It also requires that the entire customer record be 
>> encrypted, unless PostgreSQL can encrypt only selected columns in a 
>> table.  I don't know anything about PostgreSQL's encryption capabilities 
>> or lack thereof.
>>     
>
> This is also incorrect.  Selected fields within the customer record can 
> be encrypted by Freeside; typically credit card information.  This is 
> handled by Freeisde, not PostgreSQL.
>
>   


More information about the freeside-users mailing list