是否可以使用activemerchant从heroku服务器进行信用卡付款?
[英]Is it possible to do credit card payments from a heroku server using activemerchant?
问题描述
I'm building an app that needs to accept credit card payments with something like active merchant . 
我正在构建一个需要接受信用卡付款的应用程序,例如活跃的商家 。 In terms of security, is it possible for it to live on heroku and use authorize.net (or similar) as the payment gateway? 在安全性方面,它是否可以在heroku上使用并使用authorize.net (或类似的)作为支付网关?
What if it needs to store the credit card numbers? 如果需要存储信用卡号码怎么办?
Edit 编辑
Would not be forwarding users to authorize.net. 不会将用户转发到authorize.net。
1 个解决方案
解决方案1
4 已采纳 2010-09-20 04:50:59
The simple answer is yes, I believe so, but beyond that it depends. 简单的答案是肯定的,我相信,但除此之外,它取决于。
You can set environment variables for various keys and other values related to the third party service( http://docs.heroku.com/config-vars ), or just check them in and deploy them. 您可以为各种密钥和与第三方服务相关的其他值( http://docs.heroku.com/config-vars )设置环境变量,或者只是检入并部署它们。
If you are using the hosted payment service for authorize.net, and forward to their site, you don't need ssl yourself. 如果您使用authorize.net的托管支付服务,并转发到他们的网站,您自己不需要ssl。 If you will be hosting the form where credit card number and personal info are submitted, then forwarding this to authorize.net via their API on the server, you need to set-up ssl for heroku ( http://docs.heroku.com/ssl ) so that your form is secure. 如果您要托管提交信用卡号和个人信息的表单,然后通过服务器上的API将其转发给authorize.net,则需要为heroku设置ssl( http://docs.heroku.com / ssl )以便您的表单安全。
Now, it is one thing to accept payment via credit cards and just pass it thourgh, it is another to save credit card numbers and other private information. 现在,接受信用卡付款是一回事,只要通过信用卡,保存信用卡号码和其他私人信息是另一回事。 Without pointing you to various security standards docs (ie PCI DSS applies here), I will simply say that unless you absolutely have to, don't store CC numbers and related personal information, just forward to the gateway and make sure you aren't logging those fields ( http://guides.rubyonrails.org/security.html#logging ). 在没有指出各种安全标准文档(即PCI DSS适用于此处)的情况下,我将简单地说,除非您必须,不要存储CC编号和相关的个人信息,只需转发到网关并确保您不是记录这些字段( http://guides.rubyonrails.org/security.html#logging )。 If you do need to store credit card data, I think you need to have more control of the database and server to reach compliance, and I don't know a general cloud host like AWS or heroku that you can use and do this (maybe some other SO user will correct me). 如果您确实需要存储信用卡数据,我认为您需要对数据库和服务器进行更多控制才能达到合规性,而且我不知道您可以使用的常规云主机(如AWS或heroku)并执行此操作(可能其他一些SO用户会纠正我)。 Using a payment gateway like authorize.net, however, can get you there. 但是,使用像authorize.net这样的支付网关可以帮助您。
I'll also point out that different states now have laws about storing sensitive data (like MA, where I live), so yet another reason to avoid doing it unless it is essential to your business model. 我还要指出,不同的州现在都有关于存储敏感数据的法律(比如MA,我住的地方),这是避免这样做的另一个原因,除非它对你的商业模式至关重要。
For a somewhat dated, but good general discussion of PCI compliance, look here: http://broadcast.oreilly.com/2009/02/pci-in-the-cloud.html 有关PCI合规性的有点过时但很好的一般性讨论,请查看: http : //broadcast.oreilly.com/2009/02/pci-in-the-cloud.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.