[PYTHON-CRYPTO] credit card encryption
Paul Rubin
phr-pycrypt at nightsong.com
Wed Jun 12 01:36:47 CEST 2002
We want to do authorize/settle stuff asynchronously from the
customer placing an order, so this is not an issue. It will be a
batch process, but the question is whether that batch requires
human intervention to succeed (e.g., the human types in the
passphrase that unlocks the private key for one batch).
In this case you can disconnect the payment box from the web server
completely (e.g. transfer orders daily by floppy disc), or (less
daily nuisance) connect it by a two-wire (i.e. unidirectional)
serial cable so that the web server can send stuff to the payment
box but the payment box can't send anything back to the web box
(like card numbers, if it gets broken into).
If you're running a retail site, though, sooner or later you'll want
synchronous processing. If a credit card AVS fails because the
customer entered a phone number different than the one on file with
the card issuer (that happens all the time, people enter their work
phone# or something) and you reject the payment right away, the
customer will probably fix the problem and resubmit. But if they
don't find out til the next day that the order failed, chances are
they'll give up and you lose the order.
I'll try to upload my encryption lib soon. Mainly that means I have
to figure out again how to notify the stupid US export authorities
that it's online. Sigh.
More information about the python-crypto
mailing list