At 8:07 AM -0700 6/4/03, Sunder wrote:

Depends on how it gets passed from the web servers to that computer. If it's encrypted with a public key on the web server that only the database has the private half, you're safe from someone sniffing that "proprietary one-way interface."

However, if somone's already broken into the web server, they can collect the cc:'s before they get sent to the secure db.

So if you're an old Amazon customer and don't change your CC >BEFORE< someone hacks into their web server, you're safe.

It's certainly better than storing all CC's on the web server.

Now if those CC's are in raw text on the DB end, Amazon is up shit's creek if someone walks away with a db dump, backup tape, or whatever.

....

However, this is in a lot of ways MORE secure than handing that waiter or store clerk your CC. Remember that nice yellow slip has your signature, CC number and expiration date on it. Very useful for an attacker. Infact, they likely had physical access to the CC and have that extra 3 digit # on the back too.

...

I feel safer with Amazon's use of my CC than the above, don't you?

Well, I've only ordered from Amazon 2 or 3 times since they've been in business. Having my CC on file gives a much longer exposure time than the brief periods of time it would be "in transit". So, no I don't feel much safer. The $50 limit on unauthorized charges is what makes me feel safer. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | Due process for all | Periwinkle -- Consulting (408)356-8506 | used to be the | 16345 Englewood Ave. frantz@pwpconsult.com | American way. | Los Gatos, CA 95032, USA