How safe is this solution?
Posted by bambinou, 10-31-2012, 05:43 PM Hello, I need some feedback from you please before I (maybe) make a big mistake by joining this people. An affiliate has proposed me to rent cars for holidays on my website, the problem is that the javascript code on my site is taking the credit card payment of the customers directly on my page. 1)My page is not https://, but they are telling me that their code is http:// and secure, would you believe that taking payment on someone's else website is a secure way? For me...not so much. 2)Liability, I believe that if the payment is taken from my website(even with their code and bank accounts), I would still be liable for damages if something goes wrong. 3)I believe that an affiliate should normally give you a kind of widget, then when the customer goes for the purchase, he actually pays on the affiliate's website and not the customer's website, am I correct? Please let me know what you think, if an affiliate could still be very secure even if the payment gateway shows up on your website. Thank you, Ben
Posted by zoid, 10-31-2012, 05:49 PM In short, stay away from that. In long If it is not https it is not secure in terms of data transfer. Financial and personal information should never be transferred via such a connection. I just hope there is no "fancy" and "secure" javascript encryption coming up at some point. I am not a lawyer, but I would rather tend to say yes. Generally yes. You usually get some identification code which you pass along when the user clicks the link and then you are not involved anymore.
Posted by bambinou, 10-31-2012, 05:53 PM Thanks for that. My feelings about this thing were the same as yours :-) Many thanks for taking the time to reply. Ben
Posted by FINESEC, 10-31-2012, 06:22 PM It's possible to encrypt form data in a secure manner using java script and asymmetric key cryptography, but I doubt that they're doing it correctly. Why in the first place wouldn't they use https?
Posted by bambinou, 10-31-2012, 06:30 PM Hi FINESEC. They are telling me that the payment from my site to their gateway is https:// but I do find strange that an affiliate takes credit card payments directly from your site...I have never seen that before, I just emailed them to say I am not going to accept their code. Thanks Ben
Posted by FINESEC, 10-31-2012, 06:57 PM It's strange that they would require you to change any code in your site.
Posted by mg-, 10-31-2012, 07:07 PM Doesn't matter how "secure" someone claims it to be - you have to do it properly in the eyes of both security standards AND customers.. A potential customer will notice the lack of EV, then standard SSL and will lose a lot more potentials because of that, and you are liable as SSL brings insurance with it.. you have no insurance if you aren't using a ssl cert... not to mention most cheap ssl's only have coverage of 10k.. In a business sense it's better to use a low end ssl cert than the most amazing javascript solution. js encryption would be acceptable for things like transmitting sales leads, reports, user/passwords etc... data that is sensitive but not critical on non-ssl sites. =
Posted by foobic, 10-31-2012, 09:36 PM I've seen a few websites (non-ssl) that use javascript to POST sensitive information to a secure (ssl) gateway - are you sure that isn't what they're doing? It's not something I'm comfortable with because the visitor can only know the submission is secure by examining the source / dom, or by watching the headers, eg. using the FireFox live http headers plugin (by which time it's too late!). But the information should be transmitted encrypted from the client's browser to the gateway, so technically it's secure, I guess...
Posted by zoid, 11-01-2012, 08:28 AM Well, technically you dont even need Javascript. If the action attribute contains an https link it is already secure. But as you mentioned this can be confusing to the user.
Posted by bambinou, 11-01-2012, 11:00 AM Thank you all for your reply. But even if it was secured, would you not find it strange that an affiliate take the payments on his own customers on your own website? 1)The customer does not know who the affiliate is 2)No privacy policies nor terms of use on the affiliate widget itself 3)No brands nor business company name on the widget itself, all done behind the scene in a weird contract. I removed myself from this thing anyway, I cannot take the risk of having my customers details being stolen. Customers details secured & safe first. Thanks, Ben
Posted by alyak, 11-01-2012, 12:19 PM Important NOT where data entered , but HOW it transferred . Possible they are right . Need check exacly way they do this . let say there can be form in
Posted by foobic, 11-01-2012, 08:55 PM All technical details aside, if you don't trust this company don't do business with them. You have far more to lose than to gain.
Posted by css4me, 11-08-2012, 06:04 AM You should not believe anyone for taking payment on someone elses website. It is not a secure way.