uShop English (U.S.) for 179!

uStorekeeper English (U.S.) for 149!

 Products
       uTest
       uReserve
       uShop
       uStorekeeper
       uGolf
       uDirectory
       uSignIn
 Tech Support
       Support Policy
       Knowledge Base
            uTest
            uReserve
            uShop
            uStorekeeper
            uGolf
            uDirectory
            uSignIn
       Documentation
       Reference Sites
 Legal
       Software Piracy
       Legal Notices
       Privacy Policy
       Licensing
 Miscellaneous
       Reseller Info
       Contact Us
       Site Map
Planet Payment credit card processing system

Knowledge Base Lobby : uShop Support Conference : General Questions
Dec-18-17 01:31 PM EST
Original Message
Planet Payment credit card processing system
Author Paul Huard on 02-26-2001 at 10:23 (EST)
I will most likely be using the Planet Payment credit card processing system. I would like to verify a few things.

Their documentation says : "If your server does not support SSL, your buy page can be hosted on our gateway's server at no extra cost".

Am I right to believe that :
(1) I won't need to securize the server where my web site is hosted ?
(2) The whole content of my "data" directory will be hosted and securized by them ?
(3) Planet Payment will provide me the full path to my "data" directory and I will configure ushop.pl accordingly. (Question 5) ?
(4) Planet Payment will give me the means to establish an FTP connection to that SSL encrypted directory. ( For instance, to download ushop-customers.log or ushop-inventory.log ) ?
(5) The uShop order reader "knows" that the "data" directory is SSL encrypted and everything is transparent ( or do I have to configure something ? )

Thanks in advance for your help.
Paul.
E-MAIL AUTHOR | TABLE OF CONTENTS

Table Of Contents
  RE: Planet Payment credit card processing system Bill Weiner, 2001-02-26 15:58:06 (1)
            Security Paul Huard, 2001-02-27 09:26:26 (2)
                 RE: Security Bill Weiner, 2001-02-27 17:07:57 (3)
                      Security Paul Huard, 2001-02-27 19:33:46 (4)
                           RE: Security Bill Weiner, 2001-02-28 05:43:49 (5)
                                Security Paul Huard, 2001-02-28 09:00:33 (6)
                                     RE: Security Bill Weiner, 2001-02-28 16:05:30 (7)
                                          Security Paul Huard, 2001-03-01 12:33:17 (8)
                                               RE: Security Bill Weiner, 2001-03-01 13:00:50 (9)

Messages In This Discussion
         1. RE: Planet Payment credit card processing system
        Author Bill Weiner on 02-26-2001 at 15:58 (EST)
No, actually the Planet Payment inferface will work in the same way uShop's Authorize.Net interface works... as can be seen at the demo at:

http://www.uburst.com/uShop/interfaces.html

What will basically happen is that customer's general information is collected and stored on your server... .but the sensative credit card information is collected on Planet Payment's secure server ... and never sent to your server. So at no time will the credit card information be sent to your server.

So to answer your questions:

1) No, if using the Planet Payment interface, you don't really need to have a secure server yourself.

2) No, the "data" directory will still exist on your public server... and will store the information associated with each order... however, the sensative credit card information will NOT be stored on your server. The sensative credit card information will be collected on Planet Payment's server... and you will only receive a APPROVED/DECLINED indication.

3) Again, the data directory will still be created on your server... however, Planet Payment will give you a "Login" to securely login to their secure server and see transaction activity (in case you really want to see the credit card numbers... or if you want to manually process a phone order).

4) Same as 3. (The ushop-customer.log and ushop-inventory.log files will be stored in the data directory on your server).

5) The order reader will no longer encrypt orders because it will just be reading the orders off of your public server. Again, these orders will just have an APPROVED/DECLINED indication... and NOT contain any credit card information... so it is not necessary to encrypt the information.
TABLE OF CONTENTS
                 2. Security
                Author Paul Huard on 02-27-2001 at 09:26 (EST)
(1) Should I make sure that my complete "cgi" directory is not viewable by regular website visitors (not only the "data" directory) ?

I use a UNIX server (Red Hat Linux). The server software is Apache. I had to set my "data" directory permission to 777 for the order system to work completely. Can you be more specific about what I should ask my hosting provider to do so my "cgi" directory is not viewable by website visitors ? Should I ask them to use a cgi-wrap ? to reconfigure something ? They should know but ...

(2) If my "data" directory was secured on my "local" server, could things work like described at the address :
http://www.uburst.com/uShop/security.html
Chapter 1 : How uShop Security Works ?

Then, should I be able to "manually" process the credit card information ?

Thanks again for your support.
Paul.
TABLE OF CONTENTS
                         3. RE: Security
                        Author Bill Weiner on 02-27-2001 at 17:07 (EST)
QUESTION 1) Although it is not as critical to prevent regular website visitors from viewing your "data" directory (because you will not be storing any sensative payment information in that directory)... it is still desirable to prevent user's from viewing that directory and seeing such things as your customer log or your coupon list.

Your web hosting provider should be able to setup your data directory such that regular website visitors can can view it. In fact, most web hosting accounts will default to not allowing visitors to view the "cgi-bin" directory or any subdirectories of the "cgi-bin". Other options are:

- a. Giving the "data" directory 733 permission usually works.

- b. Or if your provider offers "CGI-WRAP" then you can give the "data" directory 700 permissions... and you would only have to specify two URLs to use CGI-WRAP. I would be happy to assist getting that setup for you... just send us a support request so that we can handle it off-line.

- c. Or as a trick, you can even just rename the "data" directory to anything you want... so that no one will even know where your data is going to be stored.


QUESTION 2) You can of course, still use the uShop Order Reader to get the full details of the orders... but it still would not be "secure" enough to collect the credit card information yourself. The flaw would be that the data would not be encrypted before being sent to your server... so technically, there could be some network "sniffer" out there looking to intercept any un-encrypted credit card information.
TABLE OF CONTENTS
                                 4. Security
                                Author Paul Huard on 02-27-2001 at 19:33 (EST)
About question 2 : I think my question was not very clear. I said "secured" instead of "SSL encrypted".

If my "data" directory was "SSL encrypted" on my "local" server, I believe I could "step 1 - securely get order information from the customer" and "step 2 - securely read the order file" with the "order reader" just as described at http://www.uburst.com/uShop/security.html
Chapter 1 : How uShop Security Works ?

Isn't this the reason for SSL encryption ? I guess this is just what is explained in this part of the documentation ?

Then, I would "manually" process the credit card information !

Sorry to ask you again !
Thanks for your help.
Paul.
TABLE OF CONTENTS
                                         5. RE: Security
                                        Author Bill Weiner on 02-28-2001 at 05:43 (EST)
You are correct. That is what we were trying to explain on that security reference page ( http://www.uburst.com/uShop/security.html ). To manually accept/process credit card information:

- You basically need a secure server (i.e., a secure certificate installed on your server) so that communication during the order process is encrypted via SSL (i.e., you can access the "ushop.pl" script via a URL beginning with "https").

AND

- You must make sure that your "data" directory on that server is not accessible to regular website visitors (so that no one can access any files that get written to your data directory).
TABLE OF CONTENTS
                                                 6. Security
                                                Author Paul Huard on 02-28-2001 at 09:00 (EST)
Thanks for your answer.
One more point I would like to clarify about security. What about the password that is located inside uShop.pl (Question # 13 of the configuration.) ?

Should I do something to prevent people to read this password from the file uShop.pl and eventually access my "order reader". Then, they could read and even delele my orders ?

uShop.pl is not located in the same directory as the "data" directory unless we answer "./" to question 5 :
"What is the full or relative path to your data directory?"

Actually, my "cgi" directory looks like this :

cgi
&pip;
&pip;-- store (contains uShop.pl)
&pip; &pip;
&pip; &pip;-- data
&pip;
&pip;-- another PERL script
&pip;
&pip;-- another PERL script

Should I preferably make the directory where uShop.pl is located (the "store" directory ) also not accessible to regular website visitors ?

If I use SSL encryption on my local server, should I preferably also encrypt the directory where uShop.pl is located ?

Is it a good idea to put ushop.pl and the data in the same directory for security purpose ? Then, only one directory needs to be taken care of ?

Thanks !
Paul.
TABLE OF CONTENTS
                                                         7. RE: Security
                                                        Author Bill Weiner on 02-28-2001 at 16:05 (EST)
No, you do not want people to be able to view the source code of your Perl scripts.... but you don't really have to worry about that because once the script is executable, no one will be able to view the source anyway.

(I.e., It is not possible to view the source of an executable CGI script.... try it yourself and see).
TABLE OF CONTENTS
                                                                 8. Security
                                                                Author Paul Huard on 03-01-2001 at 12:33 (EST)
Yes, you are right. It looks like I can download the result of the execution of the script (html file for instance) but not the source itself.

One more question !
How safe is it to put an empty index.html file in a directory as a way to prevent users to access this directory ?

Regards.
Paul.
TABLE OF CONTENTS
                                                                         9. RE: Security
                                                                        Author Bill Weiner on 03-01-2001 at 13:00 (EST)
Putting an index.html file in your "data" directory will definitely prevent people from seeing an index listing of all of the names of the files in that directory... and is probably good enough because your credit card information is not being stored there anyway.

What an "index.html" file won't necessarily prevent people from doing is looking at one of the pre-defined named files in your "data" directory ... such as the "coupons.txt" data file. That is, someone could technically guess where your data directory is and then look at the URL of the "coupons.txt" file to find a good coupon to use. Of course, that is not likely... nor would you probably even care. But if you want, you could change the names of those data files by modifying the file name constants listed at the top of your "ushop-lib.pl" file.

Otherwise, let me know if you need some assistance setting up CGI-WRAP (again email me offline for that).
TABLE OF CONTENTS

© 2003 Microburst Technologies, Inc.