Questions tagged [payment-gateway]

A payment gateway is an e-commerce application service provider service that authorizes credit card payments.

81 questions
71
votes
5 answers

Strange Payment Gateway

I have a freelance client that wants me to integrate a payment gateway into their Woocommerce site but I am being increasingly concerned about their choice of provider and the project as a whole. The Issues Against my advice the client has selected…
user5451386
  • 803
  • 6
  • 7
30
votes
4 answers

Bypass with wrong cvv of debit card and getting OTP

This is happening in Visa/MasterCard/American Express, etc. I tried checking in many payment apps and payment gateways that if I enter the correct debit card number, name, valid date, and wrong CVV number, I am able to receive OTP. however, the…
15
votes
3 answers

Should I worry if my credit card payment processor's server allows only weak SSL cipher suites?

I tested their server using https://www.ssllabs.com/ssltest/ and, apart from the disappointing "B" rating (it handles financial transactions, after all), the server only allows the following two RC4 cipher suites, both of which are considered…
Gabriel S.
  • 283
  • 1
  • 7
13
votes
2 answers

Validating and storing credit card data for retrieval later

I need to validate and store credit card information (name, card number, expiration date, CVC) for retrieval at a later date. Once retrieved, the data will be used for manual processing on a separate system. I have been told countless times that…
tony
  • 231
  • 1
  • 3
8
votes
4 answers

Is it secure to login to your online banking through a third party?

In South Africa there's this payment method called SiD which may be used to pay for things like flights. SiD is an assisted method where you fill in a third party form with your internet banking login details and they aid you in the online banking…
user55890
7
votes
4 answers

What are the security implications of the POLi Internet Payments technique?

POLi Payments is an Australian based online payment provider which has begun trading in New Zealand. They are supported as a payment option on some large eCommerce websites in New Zealand, including Air New Zealand, JetStar and The Warehouse. It…
Adam
  • 191
  • 1
  • 4
7
votes
4 answers

How to not store the card during 3D Secure authentication, to be PCI DSS compliant?

I'm implementing a payment solution where the cardholder enters his card details on our own website. We need to use 3D Secure for extra authentication of the cardholder. Our payment gateway implements it with these steps: a form is created with…
BenMorel
  • 909
  • 1
  • 7
  • 13
6
votes
1 answer

Find Security Flaws in My Payment Page

I've done some extensive research about how to secure your website from card fraud. iFrames do a pretty good job of this, however, It can still be worked around from certain exploits. Many payment providers have now moved away from 'Hosted Payment…
6
votes
3 answers

Storing credit card information for later manual processing

I am rebuilding a clients eCommerce site using Wordpress and WooCommerce as the framework. Their current eCommerce site takes the credit card information and stores it for later manual processing. To "secure" the data it sends halve the credit card…
Originals
  • 73
  • 1
  • 6
4
votes
1 answer

Is building an NFC payment app without a secure element like Apple Pay fundamentally insecure?

Suppose I work for a bank and am asked to write an NFC payment app for the iPhone 6 or Android but not use Apple Pay. To simply send the credit card details to the reader via NFC. Now assume I'm not storing the credit card details using a one-one…
hawkeye
  • 207
  • 1
  • 7
4
votes
1 answer

When to complete PCI DSS Compliance Paperwork

I am working for a startup that will soon begin processing payments with Stripe. Looking at their documentation, it seems we will have to file an SAQ A, SAQ A-EP, or an SAQ D depending on our integration method. How soon will we need to submit one…
0xPingo
  • 143
  • 4
4
votes
2 answers

Are client-side-only apps regulated by PCI?

Consider a client-side-only application. It may allow a user to make a payment by redirecting them to payment gateway website, where they enter the credit card details. If I understand correctly, in this case only the payment provider must be PCI…
interphx
  • 141
  • 2
4
votes
2 answers

EMV as authentication technology and not a data security technology

I'm trying to wrap my head around what I view as EMV chip card security loopholes. Here's what I'm told about EMV. If a transaction is being recorded maliciously by a third party, they will get your account number, but: they will miss info…
4
votes
1 answer

Is it ok from the viewpoint of PCI DSS to send credit card info to my own server which then directly sends it to PayPal?

Currently I'm developing an iOS application which has an option to pay an order (clothes cleaning) via scanning credit card info using device camera. I can't use Apple In-App Purchases (IAP) for this, because it is a physical good not a virtual one:…
user90038
3
votes
1 answer

Is there any reason for using private key 2 times when creating security hash?

One of the payment solutions for the websites provides the following way of creating security hash for payment link: hash = sha1(private_key + payment_params_json + private_key); Is there any particular reason for using the same private_key twice?
Oleg
  • 289
  • 3
  • 11
1
2 3 4 5 6