If they're handling money, then, yes, the paranoia is probably necessary. Aside from the 40-bit vs. 128-bit issue, one of the big security risks of SSL and similar systems is that the server they run on is typically sitting right out there on the Internet waiting for somebody to crack it, and keeping credit card information on the same rather than handing the encrypted information across some secure interface (whether a firewall or dedicated RS232 or whatever.) A bulletproof 128-bit interface doesn't help if it's running on a cracked machine. Putting it on a separate firewalled machine is a Good Thing.
Yes, and being able to review the source code of the server for security holes is also Important, if you are dealing with real money. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer@c2.net