Announcement

Collapse
No announcement yet.

Security issue.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Security issue.

    I wonder if we are breaking any laws by having customers card details within Actinic on our pc's? I've mentioned before that I really think that Actinic should have a password system or something to avoid a stolen pc being read by the crims.
    Football Heaven

    For all kinds of football souvenirs and memorabilia.

    #2
    Avoiding the issue are we?


    Ho Ho Ho

    Football Heaven

    For all kinds of football souvenirs and memorabilia.

    Comment


      #3
      I think that you are meant to delete them when you have finished with them. That is one of the reason that I use worldpay - I don't like the idea of being responsible for peoples credit cards details.

      Regards,
      Jan Strassen, Mole End Software - Plugins and Reports for Actinic V4 to V11, Sellerdeck V11 to V2018, Sellerdeck Cloud
      Visit our facebook page for the latest news and special offers from Mole End

      Top Quality Integrated label paper for Actinic and Sellerdeck
      A4 Paper with one or two peel off labels, free reports available for our customers
      Product Mash for Sellerdeck
      Link to Google Shopping and other channels, increase sales traffic, prices from £29.95
      Multichannel order processing
      Process Actinic, Sellerdeck, Amazon, Ebay, Playtrade orders with a single program, low cost lite version now available from £19.95

      Comment


        #4
        You might be breaking some laws. I'd guess it probably depends on how well your PC is protected. I'm sure of course that a security minded person such as yourself doesn't allow anonymous login to the admin account on your PC.

        Mike

        PS. I'm like Jan and use a PSP for peace of mind. I never see any credit card details and all I can do post-purchase is a refund.
        -----------------------------------------

        First Tackle - Fly Fishing and Game Angling

        -----------------------------------------

        Comment


          #5
          Hi George

          Avoiding the issue are we?
          Not at all

          With regards to your question about breaking the laws, i have not seen this written anywhere at all. At present we are investigating into the whole username/password dialog for version 7.

          As Mike said, you can product your pc by not allowing anonymous login, or you could go one stage forward and set up a BIOS password to prevent unauthorised access to your pc from bootup.

          Kind Regards
          Nadeem Rasool
          SellerDeck Development

          Comment


            #6
            On the same issue, is the credit card data encrypted in the database. It's no use locking access to Actinic if the back door is open.

            Mike
            -----------------------------------------

            First Tackle - Fly Fishing and Game Angling

            -----------------------------------------

            Comment


              #7
              Hi Mike

              The orders are encrypted on the website, but when you download the orders, they are decrypted, therefore plain text within the access database.

              Kind Regards
              Nadeem Rasool
              SellerDeck Development

              Comment


                #8
                Kind of what I suspected. If someone managed to hack into your PC and download the database then they'd have all the customers details including address and credit card data.

                Personally, I think the CC data should be encrypted in the database. But not everything please as access to the database is important for accounting and stock control.

                Mike
                -----------------------------------------

                First Tackle - Fly Fishing and Game Angling

                -----------------------------------------

                Comment


                  #9
                  I don't see the problem with this. If anyone used my Card fraudulently i'd just tell my Card company and they would get the money back for me. (we'll thats what they say).
                  ________
                  Mark x
                  Business Plus V9.0.5
                  Windows 7 Home Premium

                  Comment


                    #10
                    Originally posted by djferros
                    I don't see the problem with this. If anyone used my Card fraudulently i'd just tell my Card company and they would get the money back for me. (we'll thats what they say).
                    Dee - Thats EXACTLY the problem! If someone was to steal your database of customer and credit card details, the defrauded customers could get their money back - from the RETAILER at fault. Thats you and me!!!

                    Comment


                      #11
                      Originally posted by fleetwood
                      Dee - Thats EXACTLY the problem! If someone was to steal your database of customer and credit card details, the defrauded customers could get their money back - from the RETAILER at fault. Thats you and me!!!
                      They wouldn't get their money back from the retailer whose database was stolen, but any fraudulent purchases made would be recoverable from the retailer who supplied goods or services paid for with the stolen card details, so I think it's important that we all have good security procedures in place to try to detect potentially fraudulent transactions when accepting orders.

                      It's not just your database you have to worry about being stolen though - if you print a Data Entry Report or Invoice, this also contains the card details, and the banks insist you retain all documentation relating to card transactions for 6 months. (Not forgetting Inland Revenue & VAT who expect you to keep 6 years records, including "all invoices, sales slips, delivery notes, purchase orders and correspondence relating to sales"). Then of course there are telephone and mail order transactions to worry about as well, so a secure filing system would be required for all the paperwork too! (and a good shredder to dispose of all the paper safely when it can eventually be disposed of!!)

                      At least if your database is stolen, and you are aware it has been, you should be able to restore it from a backup, which would let you supply the police and PSP with a list of compromised cards which could then be stopped to prevent them being used.
                      Brian
                      www.flowergallery.co.uk
                      Same day flower delivery to UK
                      Same day flower delivery to Republic of Ireland
                      International Flower Delivery

                      Located in Argyll, Scotland, UK

                      Comment


                        #12
                        We suggest Authorize.net payment gateway. We never receive a credit card at all from any transaction completed through the web site. The gateway accepts clears and processes all payments and all we see is an authorization code. SO there is no issue with insecure databases holding credit cards. If a real time payment gateway is not an option I would suggest that you consider accepting cards securely using the actinic software and immediatly after processing the transaction through your credit card terminal remove the transaction from Actinic and purge all orders. This will remove data which should be secure from the actinic dataabse. You should also take proper access control proceedures for your computer to protect customer data.

                        Now I know no one has ever read all the fine print that comes with a merchant account however if you accept visa credit cards then your a member of Visa merchants and bound to the terms of the visa merchant agreement which has very detailed requirements for the handling and processing of credit cards. I suggest a day of Research is needed to review the visa.com web site ane lean more about your obliagtions as a merchant. And btw if your database is hacked and your cleints credit cards are exploited because of your merchant data processing proceedures you as the hacked merchant are liable for the purchases made through your security loop hole. As well you can be fined ( in the US its 25k for a negligent breech).

                        Care should be taken with holding and storing credit cards. At the end of the day its your ass if things go bad. Read all about internet merchant processing and verified by visa to protect yourself.

                        Brian
                        Brian Johnson
                        :::Sure Solutions Inc:::Professional Actinic templates from Buythisdesign.com:::
                        1-732-528-7635 x203

                        Comment


                          #13
                          Yep, using PSPs gets my vote too.

                          People complain about the cost, but to me the time taken to manaully process cards has to add up to more than the PSP charge, and not having the security issues of holding CC detail on a PC is crucial.

                          I had never actually thought to much about CC details and small businesses who use their own CC processing. I shall certainly bear this in mind when ordering in the future. Just imagine a small business running actinic on a laptop....and the laptop stolen whilst its owner is on a train or in a shopping centre or just walking down the road.

                          Maybe the data protection act should be added to this discussion too...

                          Comment


                            #14
                            Originally posted by olderscot
                            If someone managed to hack into your PC and download the database then they'd have all the customers details including address and credit card data.
                            A very good reason not to upload your raw database to your website as a backup!


                            Bikster
                            SellerDeck Designs and Responsive Themes

                            Comment


                              #15
                              PSP's have always being how I advise clients to go. What happens if the whole PC is stolen?

                              You should be registered with the Data Protection Register if you process any personal information.
                              Owner of a broken heart

                              Comment

                              Working...
                              X