s> Thanks for all your reply, I think I'll have to come up with
s> some valid reason for my boss and him know that is a BAD
s> idea....I've been fighting/ignoring him about this for the past
s> 6 months. I wonder how does places like amazon.com or other
s> places that store CC information store their information? Now,
s> I'm just asking out of curiosity.
There's a cost-benefit balance and a risk-reward balance involved in
storing credit card numbers. If you're actually storing enough
information to make a charge on a credit card, then that database is
incredibly valuable to just about anyone, and you're liable if it gets
stolen. In a worst-case scenario, you lose your merchant account and
have to compensate the credit card company for anything that is
charged through fraud or error. And the programmer responsible for it
(you) doesn't know how to store the information securely. Is not
requiring customers to re-enter their credit card information for
subsequent orders really worth that level of risk?
(If your boss says yes, get it in writing, and make sure he signs off
on any security scheme you're using.)
Amazon probably has a hefty insurance policy or special contract terms
with their credit card processor; this is something you can do when
you have the funds and sales volume that Amazon does. Netflix's
business model depends on storing credit cards for recurring monthly
charges; it's a safe bet that they've invested a hell of a lot of
money and time in making sure their database is secure. It's not that
storing credit card numbers is inherently and always a stupid move;
it's that it is a risky one that requires a lot of knowledge and work
to offset the risk and a lot of reward to make the risk worthwhile.
Charlton
