将信用卡信息发送到节点
[英]Sending credit card information to node
问题描述
So i am thinking of using dibs payment 
所以我正在考虑使用dibs payment
So i found this node wrapper for: DIBS API wrapper for Node.js 所以我找到了以下节点包装器: Node.js的DIBS API包装器
However this would require me to send credit card information through a post request to my node server. 但是,这需要我通过邮寄请求将信用卡信息发送到我的节点服务器。
My question is: Is this safe? 我的问题是:这样安全吗? And if not how to i make sure it is safe? 如果不是的话,我如何确保它是安全的? So that the request cannot be hacked by unwanted parties 这样请求就不会被不需要的各方入侵
3 个解决方案
解决方案1
3 已采纳 2016-12-13 14:30:56
They provide so called "hosted payment window" ( http://tech.dibspayment.com/D2/Hosted ). 他们提供了所谓的“托管付款窗口”( http://tech.dibspayment.com/D2/Hosted )。 In such case all data will be sent directly to DIBS without going to your server. 在这种情况下,所有数据将直接发送到DIBS,而无需发送到服务器。 It's preferred solution for the most of applications. 它是大多数应用程序的首选解决方案。
In case if you want to send credit card data to your server you will need to make sure that it can not be leaked (see https://www.pcisecuritystandards.org/ ). 如果您要将信用卡数据发送到服务器,则需要确保它不会泄漏(请参阅https://www.pcisecuritystandards.org/ )。 It's a big subject (in general, it's mainly about your server and network infrastructure). 这是一个很大的主题(通常,主要是关于服务器和网络基础结构的)。
解决方案2
0 2016-12-13 14:35:36
I've not used Dibs, but I have used Stripe.. 我没用过Dibs,但是我用过Stripe ..
I assume Dibs will do this the same way. 我认为Dibs将以相同的方式进行操作。 This is because you can't accept credit card details over the internet, unless your company has been accredited, and from what I can gather this can costs thousands.. 这是因为除非您的公司已获得认可,否则您将无法通过Internet接受信用卡详细信息,而据我收集,这可能会花费数千美元。
Basically credit card information is NOT sent to your server, but the Javascript library that comes with say Stripe sends the data directly to Stripe (IOW: bypassing your server), stripe then returns a token, this token is then sent to your Server, and it's this token you then use to debit money etc. 基本上,信用卡信息不会发送到您的服务器,但是说Stripe附带的Javascript库将数据直接发送到Stripe(IOW:绕过您的服务器),然后Stripe返回一个令牌,然后将该令牌发送到您的Server,这是您随后用来借记金钱等的令牌。
This means that there is never any Credit Card information that is sent between you and your user's browsers. 这意味着您和用户的浏览器之间绝不会发送任何信用卡信息。 It's an important distinction, because unless your accredited it's illegal to store any credit card information on your server, and this includes in memory storage. 这是一个重要的区别,因为除非获得您的认可,否则将任何信用卡信息存储在服务器上都是非法的,并且这包括在内存存储中。
A quick look at DIB's, and it appears it doesn't do it this way. 快速浏览DIB,看来它并没有这样做。 So a word of warning, if you handle CC details you better check your local laws on this, it even say's this on DIB's website.. 因此请注意,如果您处理抄送详细信息,则最好就此检查您当地的法律,甚至在DIB的网站上说这也是。
It is the responsibility of the webshop to comply with current legislation.
Get the above wrong, and depending on what country your from, you could receive a heavy fine, or even worse. 弄错上述情况,并且根据您来自哪个国家/地区,您可能会受到重罚,甚至更糟。 :) :)
Update: like @Peteris has mentioned, DIB's do the hosted option, this then works similar to Stripe, and card details are sent to DIB's, and then DIB's server contacts your site. 更新:就像@Peteris提到的那样,DIB可以执行托管选项,然后类似于Stripe,并将卡详细信息发送到DIB,然后DIB的服务器与您的站点联系。
解决方案3
0 2016-12-13 14:40:59
The standard practice for merchants handling CC info, if they do so at all, is (a) encrypted in transit (so unencrypted connections or fallback to unsecure protocols eg SSL3 must be disabled) and (b) not stored at all anywhere - not in your database, not in any logs; 商户处理CC信息的标准做法(如果有的话)是(a)在传输中加密的(因此,未加密的连接或对不安全协议的回退,例如必须禁用SSL3),以及(b)根本不存储在任何地方-不在您的数据库,没有任何日志; make the transaction and ensure that the full CC info is destroyed or anonymized, eg the middle 6 digit replacement with asterisks that you might have seeon often. 进行交易并确保完整的抄送信息被销毁或匿名化,例如,您可能经常看到的用星号代替中间的6位数字。
The even more common practice is to ensure that you and your systems never ever see full cardholder data, and you delegate someone else to handle the secure processing. 更为常见的做法是确保您和您的系统永远不会看到完整的持卡人数据,并委托他人来处理安全处理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.