Creditcard management

["Alan D. Cabrera" <li...@toolazydogs.com>]

I think it will be useful to build a server that manages credit cards and hosts payment requests in a secure manner so that websites can be PCI compliant.  This is something that all websites that take payments eventually have to accommodate.  A REST/JSON based server that you can put behind a firewall would be just the ticket.

I was wondering if this would be a good project to do the work in.

Thoughts?


Regards,
Alan

Re: Creditcard management

[Tauren Mills <ta...@tauren.com>]

Alan,

I would totally be interested in a project like this! And I would love
to see it on github so I could easily fork it, send pull requests,
etc.

Somewhat related is the question I posted on StackOverflow about
payment gateway libraries:
http://stackoverflow.com/questions/2870255/open-payment-gateway-libraries-for-java-python-ruby-node-js-and-php

>From what I've seen, there are not really any decent Java-based
payment gateway libraries out there. Other languages have robust
solutions that support many different gateways. So my plan at the
moment is to run ActiveMerchant (ruby-based) or PayNode
(node.js-based) with a REST api that my Java service layer can talk
to.

What you are describing really sounds to me more like a "vault"
service that would be independent of the gateway you choose to use.
I'm going to use a 3rd-party vault service, such as Authorize.Net's
CIM so that I don't have to handle credit card information locally.
That way, my java app only needs to store a token that represents a
customer's credit card.

But having an open source vault implementation would be very nice. As
an organization grows, it would make sense to bring that in-house. So
having the solution be a full payment gateway library would really
make sense and would give the user an upgrade path from a 3rd-party
vault service to a local PCI compliant vault service.

The biggest issue I have with 3rd-party vault services is vendor
lock-in. If I no longer want to use Authorize.Net, but all my
customer's credit cards are stored in CIM, how can I easily switch to
Braintree or something else? All my customers would have to enter
their credit cards again. That's a big motivator to use your own vault
service.

Unfortunately, being PCI compliant is expensive, so I would think this
really would only make sense for larger organizations. In the
meantime, paying $20/mo for CIM isn't too bad. Having an easy upgrade
path would give peace of mind.

Tauren


On Thu, Jan 20, 2011 at 2:17 PM, Les Hazlewood <lh...@apache.org> wrote:
> Hi Alan,
>
> I'm very much interested in a project like this, but I fear that it
> might be out of scope for the Shiro project itself:  Shiro's mission
> is to be a development framework that is used to create applications -
> if we build and distribute full-fledged applications using Shiro, it
> feels like we've stepped beyond the bounds of our mission statement.
>
> Now, what I would think appropriate is that any code that is written
> in the course of building such a project that is thought to be
> re-usable for other projects - that could very easily roll back into
> Shiro so others can benefit from it (and so the respective project(s)
> don't need to maintain it).
>
> Does that make sense?  I think it's a great idea, but probably better
> suited to it's own project space (maybe an Incubator or GitHub
> project?).
>
> My .02,
>
> Les
>
> On Thu, Jan 20, 2011 at 6:49 AM, Alan D. Cabrera <li...@toolazydogs.com> wrote:
>> I think it will be useful to build a server that manages credit cards and hosts payment requests in a secure manner so that websites can be PCI compliant.  This is something that all websites that take payments eventually have to accommodate.  A REST/JSON based server that you can put behind a firewall would be just the ticket.
>>
>> I was wondering if this would be a good project to do the work in.
>>
>> Thoughts?
>>
>>
>> Regards,
>> Alan
>

Re: Creditcard management

[Les Hazlewood <lh...@apache.org>]

Hi Alan,

I'm very much interested in a project like this, but I fear that it
might be out of scope for the Shiro project itself:  Shiro's mission
is to be a development framework that is used to create applications -
if we build and distribute full-fledged applications using Shiro, it
feels like we've stepped beyond the bounds of our mission statement.

Now, what I would think appropriate is that any code that is written
in the course of building such a project that is thought to be
re-usable for other projects - that could very easily roll back into
Shiro so others can benefit from it (and so the respective project(s)
don't need to maintain it).

Does that make sense?  I think it's a great idea, but probably better
suited to it's own project space (maybe an Incubator or GitHub
project?).

My .02,

Les

On Thu, Jan 20, 2011 at 6:49 AM, Alan D. Cabrera <li...@toolazydogs.com> wrote:
> I think it will be useful to build a server that manages credit cards and hosts payment requests in a secure manner so that websites can be PCI compliant.  This is something that all websites that take payments eventually have to accommodate.  A REST/JSON based server that you can put behind a firewall would be just the ticket.
>
> I was wondering if this would be a good project to do the work in.
>
> Thoughts?
>
>
> Regards,
> Alan