Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
It's a common feature for payment providers to have a medium to store card details(which returns a reference you can always use to charge a card).
We plan on leveraging multiple payment providers, considering that our product is used by various regions (both to support the locally available cards and alongside maintain low payment charges incurred by the customer, based on their location).
Now the challenge is that each time we integrate a new payment provider, it'll require that we replicate/store all of our existing users' card details (already stored on other payment providers we leverage on) on the new provider we'll be integrating with.
Knowing fully well that:
We don't store users' card
Previously integrated payment providers don't return complete card details (just reference).
Payment providers cannot allow transferring card details to another provider.
I'm hereby seeking an alternative solution (that doesn't require storing card).
I saw something close to what we could rely on(https://www.spreedly.com/). Are there also alternatives to this?
If you want to do this, your only options are to use a vaulting product like Spreedly or become PCI certified yourself - and using a vaulting product is going to be a lot easier to deal with than the PCI certification you'll need to store the cards yourself.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
I have a client that is very jealous about her data and she asked me to replace the default bot storage of my bot with a custom storage that saves all the data in an on-premises database.
If I replace the storage, will the bot framework save permanently any conversation data in any other place? (let's say, somewhere in Azure) That's something my client would like to avoid for security concerns.
Thanks!
Saving and loading of all session data is handled in the ChatConnector's getData() and saveData() unless you provided your own via settings.storage. In non-emulator real-life scenarios it will go to https://state.botframework.com/v3/botstate/...
The bot framework doesn't store anything else, I believe. I explored this exact question very recently. Take a look:
http://www.pveller.com/smarter-conversations-part-3-breadcrumbs/
http://www.pveller.com/smarter-conversations-part-4-transcript/
I had to read the source (many times actually) to trace the inner workings of the Bot Framework and I didn't see anything that would make me think that there's another persistence somewhere.
You are probably better off asking on the official support channel to confirm and assure your client but I think you're good.
As to how reasonable it is... companies do far more crazier things for all kinds of reasons :) By the way, will you also use Microsoft's LUIS for NLU? Does your client have similar concerns about all incoming messages going through that service? It's a deep rabbit hole. I think of engagement (vs. back office automation) bots as very much cloud-native. Not easy to shield yourself from it and yet benefit from all the new tech built for it.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
People buy stuff on my site through PayPal or payment card. I need to refund some clients now but I don't have their payment/card/bank details that I could use to do so.
Considering that not storing payment details is common and refunding people is also common, what is the usual solution to deal with this situation?
Presumably you have the original order details stored, so you'll have their name, transaction reference, payment method, etc. For PayPal payments, you can issue a refund directly from your PayPal account - just cross reference the order details you have with those stored in PayPal.
For other card payments, what payment processor do you use? All the main processors have refund functionality built into their APIs. In my experience, the payment processor (who is PCI compliant) stores the card details and provides you with a unique token that identifies that card. You then communicate with them using that token, so any payments or refunds can be processed on the right card.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I was under the impression that MediaWiki is due to its nature as "open for all Wiki platform" not tailored towards managing sensitive information.
I found some warnings about this on the MediaWiki FAQ and some user account extensions as:
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job.
Now a consultant of my boss tells him there is no problem with sensitive information at all. I would like to hear if he is right and I worry too much.
I suppose all problems would go away if we would use separate instances of MediaWiki for every user group with the same rights.
Think about the risks here:
What sort of data are you planning on populating it with? If it is personal data such as salary, home address or medical data, or if it is credit card data then you may be required to protect it appropriately (in the US see HIPAA, Gramm-Leech-Bliley, SoX and state data protection legislation; in the UK see DPA 1988, FSA regs; in Japan JSoX; Globally PCI-DSS)
Aside from those regulations (and a whole lot of others globally) how would your business cope if the data was deleted, or published on the Internet, or modified, or corrupted?
The answers should help you define an 'appropriate' level of protection, which should then be explained along with the possible risks to the board, who should then make the decision as to whether it should go in.
(tweak the above based on company size, country etc)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Generally speaking.
How do a project manager evaluate and track the security issue for a project? Or is there any online resource that I can use as a reference ?
I would say that you would track this like everything else you track on your project.
Make sure that there is an architecture and project requirement review -- go though all aspect of the architecture and design and document any issues and questions as you go along. Depending on your application, it may include securing external communication and communication between different parts of the application, and understand any possibilities for malicious user input. If your application store any data, review what data is stored, and ask "what would happen if the data was lost or leaked". Understand how all sensitive data store is encrypted, and make sure that user passwords are never stored (store a oneway hash instead). Review how/if any encryption keys can be rotated, so that loss/leak of key does not mean compromise of security.
Document all issues and questions found in your favorite bug tracking and task management tool, even if just as reminder to get back and inspect actual implementation.
I think you add them as 'risks' or 'tasks' in your ALM system, depending on which phase you are current in with respect to your project.
How to evaluate security issues is usually deferred first to Devs or IT Profs depending on the nature and then reported back to the PM for review.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 8 years ago.
Improve this question
I'm putting together a small start up company which will be set up with a subscription based billing model. The bill will go to customers on either a monthly or quarterly basis depending on the end user's preference. My question is two parted:
I'm new to online billing and I'm only really aware of Pay Pal when it comes to third party bill payment, but this seems more like a check out system. I'm sure there are better alternatives than PayPal for third party billing processors (I have tried Googling for them, but I'm having trouble finding exactly what I'm looking for). What options (companies) are available for third party payment processing and what types of experiences (good or bad) have you had with them?
We would like to give our customers the ability to set up recurring payments. I'd rather not store a customer's credit card number on our database as I imagine there are a plethora of compliance guidelines around this. Is there a third party solution for recurring payment processing?
On a side note, this is not necessarily a code related question and is more business focused. I wasn't sure if there was a better route for posting this question, and please commont or modify this if there is another route I should take.
You can also look into Amazon Flexible Payment System. I implemented this for a customer and the API, at least, was very easy to work with, and Amazon seems solid and trustworthy as near as I have been able to tell.
Take a look at http://chargify.com/
There are many business out there that will fit the bill. Be sure to look for a solution that believes in Credit Card Data Portability - which means that they'll transfer your credit card data to another vendor should you want to leave them in the future.
You have many, many options. Take a look at Recurly (where I work), Chargify, Stripe, CheddarGetter, Authorize.net's ARB, PayPal's recurring billing, Braintree, etc.