0
I want to briefly touch again on PCI and payment applications, as I keep getting scared out of my security hat. There’s a fantastic tech startup group in Seattle and somebody recently asked about processing credit cards on the mailing list. One of the commenters pointed to the Rails ActiveMerchant plugin, which can be used to access payment gateways such as Authorize.NET, Paypal, and over 30 others. The following piece of code, found on the ActiveMerchant page, is what rang some bells in my head when I saw it.
# Create a new credit card object
credit_card = ActiveMerchant::Billing::CreditCard.new(
:number => '4111111111111111',
:month => '8',
:year => '2009',
:first_name => 'Tobias',
:last_name => 'Luetke',
:verification_value => '123'
)
if credit_card.valid?
# Create a gateway object to the TrustCommerce service
gateway = ActiveMerchant::Billing::TrustCommerceGateway.new(
:login => 'TestMerchant',
:password => 'password'
)
# Authorize for $10 dollars (1000 cents)
response = gateway.authorize(1000, credit_card)
While ActiveMerchant itself is not a risk, I simply want to reiterate how you use the library is very important when it comes to handling credit cards. This code, if used in the manner above, puts your web server in scope for PCI compliance even if you are never writing the credit card number to disk. While you should be doing nearly everything in the PCI standard anyway in order to properly protect your assets, PCI can be a tricky field to navigate. I’ve said it before and I’ll say it again: if you want to avoid the complexity of introducing PCI compliance into your environment, do not store, process, or transmit a credit card number and use an offsite payment gateway instead.
If you have further questions about this, feel free to leave a comment, contact me (damon at startupsecurity.info), or visit PCI Answers for anything and everything related to PCI including contact information for one of the most knowledgeable PCI resources around, Mike Dahn.
Back to top