Wednesday, April 7, 2010

The wonderful world of credit card processing

Every year, more and more credit card purchases are done online. In an effort to make transactions more secure, credit card companies are requiring higher levels of security for web servers that process credit card payments. PCI (Payment Card Industry) compliance requires that a server processing credit card payments use SSLv3. If you are not in compliance, your merchant bank may fine you and/or shut off your merchant account as one of our customers recently found out.

This may all be very interesting (or not so interesting) and you're probably wondering what this has to do with you. If you are writing applications that talk to servers via SSL, you might find those applications suddenly failing on you when the servers are upgraded to SSLv3. The default value of REAL Studio's SSLSocket.ConnectType property is documented as being 1, which would be SSLv2 or SSLv3. However, as it turns out, the actual default value is 0 which is for SSLv2 only. If you are using the SSLSocket, you should explicitly set the ConnectionType to 2 (which is for SSLv3 only). Better yet, use the built-in constant, "SSLSocket.SSLv3" to make your code more clear. We will be changing the default value to 2 for REAL Studio 2010 r2 but you should make sure your code is explicit so you don't have to worry about this.

If you are in charge of your web server and you process credit card charges with it, you should investigate PCI compliance before your credit card merchant company turns off your account at an inconvenient moment. You can check your web server for PCI compliance using this web site:


Steve Cholerton said...

Thanks for the info. Cheers - Steve

Geoff Perlman said...

Update: The bug I mentioned occurs only on SSLSockets that you place on a window. This does NOT occur if you are simply using one in your code.