I'm using Parse as a back end. I'd like to send money to users' bank accounts using ACH, but to do that I need access to their bank account information recurrently. So, I'd like to store the information (encrypted) on the Parse server, so that I can credit users' bank accounts accordingly. PCI-compliance, although suggested in this instance, is not required because obviously this has nothing to do with the Payment Card Industry...
That being said, how would one go about safely storing such sensitive data on the parse servers?
Thanks
Check out Spreedly http://www.spreedly.com/
You can have a form that posts to spreedly (or just ajax to send to their API)
and they give you a token back. You can then run a charge on the token anytime. Very good service.
There are other tokenizing services like this.
Related
I’m planning on abuilding a nextjs app and connecting it to a DB. I’d like users to login to their profiles where a summary of their calendly charged sessions through stripe is visible in a table format.
What would be the best way to get this done? I know both stripe and calendly have their own APIs to pull the data in but how can I connect them to save records in DB for a user with a unique email and ID?
Your question is too general. I think this is due to a lack of information about Stripe's features. To narrow down the problem, I'd recommend to start from Usage-based pricing. This will allow you to understand what data structure you will have in Stripe and what part of it you want to store in your database. So, in general you should pass session time from Calendly to Stripe. I don't know how it is in Calendly, but for Stripe, an email is not a unique identifier. Thus, ensuring uniqueness is up to you.
In my Android application I have an idea to store in database some serial key. If user enters correct key he gets full version of application and the key is disabled on the server to avoid multiply usage of the same key, otherwise he can buy app in Google Play without a key.
For this I thought to use Firebase Database but after read this I have some doubts
Firebase Realtime Database
Store and sync data with our NoSQL cloud database. Data is synced across all clients in realtime, and remains available when your app goes offline.
Does it mean that firebase will duplicate the table with all available keys to all application users and some smart user can read the list from this copy at his phone?
Not all data is automatically duplicated to all clients. Only data that the client subscribes to is received by that client.
You can control what data each client can see through Firebase's server-side security rules. For example, you'll typically want to ensure that each user can only read their own data.
It probably isn't a good idea to store super-sensitive data like social security numbers or credit card numbers, but if you see https://firebase.google.com/docs/database/security/ you can see, that you can control access to data, & use validation, especially since you can regenerate the keys if they become compromised, it wouldn't be the worst option. If you look at https://firebase.google.com/docs/database/security/user-security you can see, that it's possible to write an app that uses it like google drive with a smartphone-based client.
Personally the answer would no. You may want to think about Google Play Subscriptions and In-App Purchases.
If you really have to then:
Create a key as a user buys the upgrade (server-side).
Store the device id/account id (hashed) and timestamp with the key.
Credit card details and expiry dates should be combined into one hash.
Just encrypt everything.
It's better to have a banned list than a list of approved key. Eventually you have to create more keys and it's easier just to maintain a list of banned keys.
I am working on one asp.net mvc project. In which I want the facility of customer feedback. Suppose I have sent email for getting feedback on our services. So we are sending emails to customers. They gives answer via Reply of that email. And we want to save that reply automatically in database tables. Its sure that we will receive email on one our fixed email address.
So basically i want to store the reply of email from customers into the database with that customer email id. please note here Customers reply email id will be the unique customer field for me.
Is this possible? How can i achieve such functionality? Please suggest me.
Thanks in advance.
Saving email replies has nothing to do with asp.net mvc per se.
having said that, here are some solutions that you can evaluate:
assuming all the replies go to a designated mailbox (Exchange or whatever), you can setup filters (e.g. VBA files in Exchange) which can intercept the incoming emails, parse them and save it to the data base.
if you don't want to mess with mail server native filters, you can write an offline utility (C# console app, windows service, powershell script etc.) which can query a Mailbox and parse the emails and save it to the database.
All of the above approaches have their pros/cons based on ease of installation, logging, maintainability etc.
p.s. please discard the below if it doesn't make any sense for you.
an uber advice i have always received for customer feedback design problems is to get as much objective data as possible. (as opposed to unstructured textual content in an email) and to get objective data,
one option is to have a feedback form on the website where users fill in definitive fields and you can save the information in a very structured and objective manner.
another option is to send them an email with a link to the feedback form on the site, so that if not immediately, they can leisurely come back to the same site and you collect objective data the same way.
saves you the trouble of parsing emails, trying to save email documents, parsing html/string contents, manual intervention to interpret sentiments of the email etc.
I am integrating a payment gateway; this is the first time I am integrating payment gateway functionality to my system, I am using Authorised.Net for the payment gateway.
As I have successfully integrated it but I see the user has to enter the following values to purchase his item, and the transaction id is returned.
//post_values.Add("x_card_num", "4111111111111111");
//post_values.Add("x_card_num", CreditCard);
//post_values.Add("x_exp_date", "0115");
////post_values.Add("x_amount", "19.99");
////post_values.Add("x_amount", );
////post_values.Add("x_description", "Sample Transaction");
//post_values.Add("x_amount", txtAmout.Text);
//post_values.Add("x_description", txtDesc.Text);
////post_values.Add("x_first_name", "John");
////post_values.Add("x_last_name", "Doe");
////post_values.Add("x_address", "1234 Street");
////post_values.Add("x_state", "WA");
////post_values.Add("x_zip", "98004");
//post_values.Add("x_first_name", txtFName.Text);
//post_values.Add("x_last_name", txtFName.Text);
//post_values.Add("x_address", txtAddr.Text);
//post_values.Add("x_state", txtState.Text);
//post_values.Add("x_zip", txtZip.Text);
These values just fix his transaction and purchase of item, so my confusion is that if the web site owner put all this information into his database and made more transactions using his details, then what? Is it safe and secure, or something else happens that I could not figure out?
Here are some basic guidelines to follow:
Keep all information in your database except for the credit number. Never keep the credit number unless you feel that your encryption systems are safe.
Store Authorize.net successful or failed transactions
You need to create a transaction table where you will create a new line for each transaction, regardless of being the same user, or transaction result.
Encrypt some portions of the transaction: Address is good thing to encrypt. This will avoid identity theft if you ever get hacked.
Make sure all user passwords are hashed
Store the Web Site Database connection encrypted as well
Communicate with the database using only stored procedures. This should avoid SQL injection, if the stored procedures are built correctly.
This is how it is, website owner can put all the information into his database, if the transaction mode is present on the website, thats why I and I think most of others either do transactions from trusted sites or sites that redirect to some trusted gateway like paypal or authorize.net for financial transactions.
Thanks for the clarification. I'm currently working on a project that is using PayPal in this same manner. We store only the authorization code and transaction ID in our database.
In my opinion, the 30 seconds or so that the user will save by having their information stored isn't worth the risk associated with storing their information. If you're doing recurring transactions, the vendor will store the information securely for you (at least PayPal does) so there's no real reason to store the credit card information in your system.
[EDIT] As Imran pointed out, storing the last 4 digits of the number would be fine for display on a report.
You can do nothing to prevent the DB owner from misusing the information if they're storing it aside from contacting your credit card company and reporting fraudulent charges. The payment gateway has no idea who is inputting the payment details, other than ensuring the transaction is coming from one of their authorized customers (i.e., the customer authorized to use the payment gateway).
We have a client using Volusion as a storefront/e-commerce solution. We need to export purchase data, including credit card information, from it into a fulfillment provider who will then run a customer's credit card only when/if the item they ordered ships.
We have access to the server running IIS, we have the API on the fulfillment provider side to send this data over HTTPS, and we can build a simple polling ASP.Net app that runs on the same PCI-certified server that holds the CC data that moves data from Volusion to the fulfillment provider securely.
What remains is how to get the data out of Volusion. We've had several answers and none have panned out:
Use the API. The API documentation is very light, and doesn't make clear how to get CC data out.
Fill out a verification form and you can "view" it. This came from their customer service department, but they were very shaky on details.
Query the database directly. It's not clear whether this is feasible.
If someone here has handled external credit card processing on Volusion before, we're interested in how to get this done. What the process is to get these fields enabled in the XML API and the format of those fields would be enough, or some other approach - whatever gets us to the finish line.
I am pretty sure that Volusion will not ever release customer's Credit Card information to you via an API or any other means.
maybe this will help you do more research:
http://devwiki.volusion.com/index.php/Customers_Export
http://devwiki.volusion.com/index.php/Orders_Export - the closest you can get is the last 4 of the CC number.
A better design pattern would be to charge the customer at purchase time, if the drop shipper cannot fulfill the order cancel the order and refund the transaction.
You cannot extract the credit card number through the Volusion API. The only way to do it is contact Volusion Support have them enable the displaying of credit card numbers within your Admin. They will probably have you sign a wavier that you will follow PCI compliance.