Evergreen

Bug #1474051
Comment #6

Comment 6 for bug 1474051

Revision history for this message

Rogan Hamby (rogan-hamby) wrote on 2015-07-13: Re: [Bug 1474051] [NEW] Avoid storing partial credit card payment info

I'm on the "you should be ashamed of yourself" side of the opinion fence.
But, I can also be fairly cavalier about it as it doesn't break anything
for my users that I don't want broken. I think most institutions would feel
this way.

If we feel a wider net of feedback is needed I think this might be a good
question to throw out to the general list. I find it hard to imagine that
many would want to keep it but I'm often surprised by such things. I would
be willing to send out an email and report back in the bug feedback.

On Monday, July 13, 2015, Mike Rylander <email address hidden> wrote:

> This will outright break existing reports, including, potentially, local
> views (real or in-IDL) that mention those columns in any way... should
> we be concerned about that? If consensus is "those reports are wrong
> and bad, and you should be ashamed of yourself for creating them" then
> that's perfectly fine by me, but I felt the point should be raised.
>
> --
> You received this bug notification because you are subscribed to
> Evergreen.
> Matching subscriptions: evergreenbugs
> https://bugs.launchpad.net/bugs/1474051
>
> Title:
> Avoid storing partial credit card payment info
>
> Status in Evergreen:
> New
>
> Bug description:
> Evergreen 2.8
>
> When a (non-Stripe) credit card payment is made in Evergreen, some
> card data is stored locally in the EG database. Retaining even
> partial credit card payment information considerably raises the bar
> for PCI compliance. Since most vendors (I think, certainly PayPal)
> allow you to retrieve payment information directly from them with the
> approval code / order number, storing the data locally in Evergreen is
> also redundant.
>
> I'd like to propose that we drop (or anonymize, or leave blank) the
> following columns in money.credit_card_payment:
>
> cc_type
> cc_number (last 4)
> expire_month
> expire_year
> cc_first_name
> cc_last_name
>
> Thoughts?
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/evergreen/+bug/1474051/+subscriptions
>

If we feel a wider net of feedback is needed I think this might be a good
question to throw out to the general list.  I find it hard to imagine that
many would want to keep it but I'm often surprised by such things.  I would
be willing to send out an email and report back in the bug feedback.

On Monday, July 13, 2015, Mike Rylander <mrylander@gmail.com> wrote:

> This will outright break existing reports, including, potentially, local
> views (real or in-IDL)  that mention those columns in any way... should
> we be concerned about that?  If consensus is "those reports are wrong
> and bad, and you should be ashamed of yourself for creating them" then
> that's perfectly fine by me, but I felt the point should be raised.
>
> --
> You received this bug notification because you are subscribed to
> Evergreen.
> Matching subscriptions: evergreenbugs
> https://bugs.launchpad.net/bugs/1474051
>
> Title:
>   Avoid storing partial credit card payment info
>
> Status in Evergreen:
>   New
>
> Bug description:
>   Evergreen 2.8
>
>   When a (non-Stripe) credit card payment is made in Evergreen, some
>   card data is stored locally in the EG database.  Retaining even
>   partial credit card payment information considerably raises the bar
>   for PCI compliance.  Since most vendors (I think, certainly PayPal)
>   allow you to retrieve payment information directly from them with the
>   approval code / order number, storing the data locally in Evergreen is
>   also redundant.
>
>   I'd like to propose that we drop (or anonymize, or leave blank) the
>   following columns in money.credit_card_payment:
>
>   cc_type
>   cc_number (last 4)
>   expire_month
>   expire_year
>   cc_first_name
>   cc_last_name
>
>   Thoughts?
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/evergreen/+bug/1474051/+subscriptions
>