Topic: A Little Nervous about non-secure Credit Card Info request

Like the title, I don't like to blindly give out my credit card and CVV without any security certificate available.  Will you be adding PayPal as a payment option?

Re: A Little Nervous about non-secure Credit Card Info request

smpcorp wrote:

Like the title, I don't like to blindly give out my credit card and CVV without any security certificate available.  Will you be adding PayPal as a payment option?

Duane says that the Stripe thing is an iframe (actually SSL, but the page isn't), and that your credit card information is stored by Stripe, and not Chumby themselves.

Re: A Little Nervous about non-secure Credit Card Info request

as someone who's got their fingers inthe back-end servers, i can verify, there's no financial info *at all* anywhere on any of the chumby servers.

all we get is a token from stripe that verifys that someone has paid, no cc, or money info at all...

and I like it like that.. much less responsibility and worry! smile

also, you *can* hit the chumby page via ssl...

https://www.chumby.com

Cleaning up any loose bits and bytes.

Re: A Little Nervous about non-secure Credit Card Info request

diamaunt wrote:

as someone who's got their fingers inthe back-end servers, i can verify, there's no financial info *at all* anywhere on any of the chumby servers.

That's nice, but who are you? And can you prove it?

The point of an SSL certificate is that a trusted third party says that you are who you say you are. I completely believe that you are handling no credit card information. I believe that the POST is probably done using SSL.  I'm even reasonably sure that Stripe has passed all their PCI audits and is totally safe to do business with.

I know that security on the web is AFU, and what we're asking you for is silly, when you really think about it... but consumers have been trained to look for the little lock symbol, to look for the green bar, etc, and right now you don't have that.

Fix that.

Especially since, as you say, the ssl version of the web site actually works anyway.  Toss in the redirect and make us leave you alone.

Re: A Little Nervous about non-secure Credit Card Info request

I'm not really sure how I can prove a negative.  or what you'd consider that I could offer as proof of who I am.

if you want to see the lock, you can use htttp for now.

personally, I'd like to see a little lock when I hand my credit card to the waitress at the restaurant. smile

as to stripe and pci... you got me curious, so I googled this up: https://stripe.com/help/security

Cleaning up any loose bits and bytes.

Re: A Little Nervous about non-secure Credit Card Info request

It probably does make sense to have an SSL cert and have the subscription page go via https.  We know this makes zero difference to the actual security of the site, but it'll prevent people who are used to looking for the lock from getting scared.  And, to be honest, encouraging people to look for the lock is a good thing (even if you can get a cert for free...)

Re: A Little Nervous about non-secure Credit Card Info request

diamaunt wrote:

personally, I'd like to see a little lock when I hand my credit card to the waitress at the restaurant. smile

This is one of the advantages of "chip'n'pin"; the waitress never gets your card!

Re: A Little Nervous about non-secure Credit Card Info request

The reason the whole site isn't https is that many of the chumby apps will malfunction when previewed.

I am working on making the subscription page https to alleviate the concerns.

Re: A Little Nervous about non-secure Credit Card Info request

sweh wrote:
diamaunt wrote:

personally, I'd like to see a little lock when I hand my credit card to the waitress at the restaurant. smile

This is one of the advantages of "chip'n'pin"; the waitress never gets your card!

I've seen videos from 'over the pond' about sneaky shit they can do to rip you off even with chip'n'pin (which, I agree, is a much better technology than the ancient stuff we have here.)

Cleaning up any loose bits and bytes.

Re: A Little Nervous about non-secure Credit Card Info request

@Duane - yeah, only the sub page needs it.  Nothing else is really that sensitive; 'nice to have' but not 'critical'.

@diamaunt - CnP isn't unbeatable, but it's massively better than the US system!

Re: A Little Nervous about non-secure Credit Card Info request

sweh wrote:

@diamaunt - CnP isn't unbeatable, but it's massively better than the US system!

I agree 100%

Cleaning up any loose bits and bytes.

12 (edited by smpcorp 2014-07-07 11:19:15)

Re: A Little Nervous about non-secure Credit Card Info request

I registered my Chumby 1 in March 2011 and haven't turned it off since.  Just was using it as a digital clock on my kitchen counter.  Looking forward to installing new apps and use it again as I did before it went dark.  I just have the problem with giving out my CC info at the moment.  I had a real bad time with unauthorized use in the past and now I am very cautious.

Re: A Little Nervous about non-secure Credit Card Info request

The next release of the server will make the subscription pages SSL.

Re: A Little Nervous about non-secure Credit Card Info request

smpcorp wrote:

Like the title, I don't like to blindly give out my credit card and CVV without any security certificate available.

The updated web page has been deployed, when you click over to the subscription section, you'll be taken to a ssl page, for your comfort.

the payment will still be done in a secure iframe to stripe, but the chumby page behind it will show ssl.

Cleaning up any loose bits and bytes.