I now know we are not speaking the same language

[byteme]

Whilst I do not have a problem with call centres outside of the UK, when requesting tech support, it is really unhelpful to have people who do not quite understand the english language. It is clear that these chaps do try, but it is also evident that communicating issues that need assistance are hampered by lack of language knowledge.

To collect orders from a secure server shouldn't be rocket science, and indeed storing such files without adequate security shouldn't happen, but to get this information together shouldn't be as difficult to find out. I am moving from my current hosts due to lack of support on an issue that has been outstanding since April, but I am worried that I may be making a mistake entrusting my client base if the language barrier further complicates already complicated issues.

See the copy of the conversation below......


adam: Hello
adam: Welcome to Team chat.
ros: Hi adam you drew the short straw again! I need to talk a bit further about Shared SSL
adam: yes please
ros: I have got the shared ssl, I have my own checkout script and I want to save orders on the server
adam: shared ssl and and I want to save orders on the server ?
ros: Yes
adam: I can understand
adam: can't understand
ros: I have a checkout script - ok
ros: when they customer fills in the checkout script the credit card details need to go somewhere yes?
adam: ok so ?
ros: so to ensure the orders can be viewed they have (until now) gone onto the shared SSL to be retreived by my customer and processed
ros: I still want to allow them to get their orders this way
adam: well you can acess it with https://domain name ?
ros: can I create a folder via ftp on the normal site - say cal it orders, then call the checkout under HTTPS and then save it in the orders folder - AND be secure?
adam: yes you can
adam: do that
ros: OK, to do that I would have to chmod the orders folder to 777 to receive the order yes?
adam: yes
adam: fullpermission
ros: To get the orders I will need to create a script to list all files in the folder. Could they possibly open this unsecured too?
adam: yes
ros: so how do we stop them?
adam: you need to contact your programmes so that he can help you in better name
adam: way
ros: I am the programmer
ros: Will htaccess be enough?
adam: yes
ros: Is there any other vunerability I need to know?
adam: no need
ros: Someone said the orders would be encrypted on the folder, will this be so?
adam: not sure
ros: can you find out?
adam: Sorry but not sure
ros: Can I raise a ticket to find out then?
adam: please
adam: so that you can get the reply soon
ros: OK I will thank you
adam: No please
ros: ?
adam Says:-
No please
ros: Sorry, you do not want me to open a ticket?
adam: you can
ros: Then I will
adam: thanks

[Administrator]

language used by Adam was quite rude. I am extremely disappointed to read such chat transcript.

basically no one saves credit card information in files. people always save credit card information in database but this should have been explained properly on livechat.

I'll get back to you once I have a word with Adam.

[jon123]

I don't know much about secured ssl but thought you shouldn't store credit card info on shared ssl. I though i read it wasn't secure enough. Thought that is why peeps use payment gateways like paypal, etc.

Although think byteme is refering to order info only

[byteme]

I did in fact have a further chat with both Kenny and when he was unable to reply, Adam. I was told firstly that it WAS secure and I did repeat my question, was it encrypted ( yes I did want to store CC details ) and did it REMAIN encrypted - he seemed not to be sure first he said yes then no and so I repeated what he said last and asked him to confirm. He said yes and that is "what I told you on last chat" and I did not bother to argue. I said at last I have the truth of the matter, I only wanted the correct info to ensure safety of the information, he did offer me a SSL cert, but honestly I am not sure that encryption exists here either, just as a wrapper SSL shell.

My old hosts on shared SSL did encrypt the orders and un encrypt them when you logged in.

I was going to encrypt them myself (I have located the crypt lite module which I can run from CGI-BIN, but a database would seem the best solution all round.

I have to be honest here, Adam said I didn't get them and he is right, but as the customer should I "get him" or should he just furnish me with the information I need to look after my VAR customers? He asked me what I wanted to do, and I asked him to make these issues clear on FAQ for other VARs moving multiple accounts-

I appreciate that tech support seems to be overseas, and the language barrier seems at times poor, but getting tech support to set up all the accounts correctly and securely IS important and it is not my fault if their language skills are lacking. They further seem to think that hosting is the same all over, but in 10 years of hosting I can assure them it isn't and transitions are only as painful as the new host makes it.

Please assure me that these chaps get more training.

[Cassie]

I haven't got a clue what all that means but then I don't need to as I am not tech support.

However I would like to put my 2p worth in on the subject of language. I have pointed out before that they appear to be (both in chat and telephone supp.) in a 'Indian' call centre. However I was told by them that they were in the UK. When I queried this on here Admin said they were UK but just didn't have English as the first language.

I think we need a bit of information here on exactly where the tech support (all varieties) is based and how qualified they are. Language has been a major problem and cause of major delays in getting stuff sorted. That is a bit of a disappointment as one of the reasons I moved my accounts here was the 24/7 support (although Chat has not worked for me in the last few months since the interface was changed).

[Administrator]

to keep something encrypted inside your public_html you will need something like Zend or Ioncube. You will need to use this softwares to encrypt on your local machine and then upload them on the server.

If you simply want your customers to fillout credit card details and then you save those inside a 777 permission directory then you should not expect any sort of encryption on saved documents inside your webspace. Encryption works only at the time of data transfer from customers local machine to the server and not once the data is completely transferred.

Anyone can use softwares to download everything that you keep inside your public_html. have a word with other webmasters and ask them how they accept credit card and where do they save credit card information. I have mentioned couple of times that you need to use database to save customers credit card details but it seems that you are reluctant to do so.

We wont be responsible if details of credit cards of your customers are stolen by someone if that information remains in your public_html with 777 permission.

[Administrator]

Quote:

Originally Posted by Cassie

I haven't got a clue what all that means but then I don't need to as I am not tech support.

However I would like to put my 2p worth in on the subject of language. I have pointed out before that they appear to be (both in chat and telephone supp.) in a 'Indian' call centre. However I was told by them that they were in the UK. When I queried this on here Admin said they were UK but just didn't have English as the first language.

I think we need a bit of information here on exactly where the tech support (all varieties) is based and how qualified they are. Language has been a major problem and cause of major delays in getting stuff sorted. That is a bit of a disappointment as one of the reasons I moved my accounts here was the 24/7 support (although Chat has not worked for me in the last few months since the interface was changed).

We have close to 50 staff members in 3 different offices. 2 offices in UK and 1 in India. Most of our staff members have got University Certification in Computer Science. All those who are in India have been with us for last 3 years and most of those are Engineers with Redhat and Microsoft Certifications.

[byteme]

Quote:

Originally Posted by Administrator

Anyone can use softwares to download everything that you keep inside your public_html. have a word with other webmasters and ask them how they accept credit card and where do they save credit card information. I have mentioned couple of times that you need to use database to save customers credit card details but it seems that you are reluctant to do so.

We wont be responsible if details of credit cards of your customers are stolen by someone if that information remains in your public_html with 777 permission.

Seems that you did not read my last post,

Quote:

I was going to encrypt them myself (I have located the crypt lite module which I can run from CGI-BIN, but a database would seem the best solution all round.

I rest my case.

I notice however that when I try to access the database (and table) using perl DBI as suggested by the mysql control panel - to connect the error

Software error:
Can't locate object method "connect" via package "DBI" (perhaps you forgot to load "DBI"?).

Before you ask, yes the DB is up and alive, yes it works via php and connects. I would liketo connect through Perl because the checkout is in perl.

[jon123]

I honestly don't think it is a good idea to store credit card info in databases either, that is unless you are an expert in securing the database, and even then all online dbs are serceptable to hack attempts and injections.
I think you better be clear on the data protection act and what you would be liable for if something happens, if you do so.

Of course I am refering to the CC number, sort code, etc here, I personally wouldn't store that at all. Not that I am saying you are.

I have a datebase with 4000 forms gathered online for the BBC. They only contain names, postcodes and comments, but the BBC were very stringent on making sure the names were kept very secure because of the data protection act.

Quote:

but in 10 years of hosting I can assure them it isn't and transitions are only as painful as the new host makes it.

Very true, and although i have had my problems here, I, like you, spent 7 years with Pipex and the last 2 years were the worst I ever wish to experience.

[byteme]

so what would you do with the cc details? pgp ?

[byteme]

The last 2 years - you mean here?

[jon123]

No, last 2 years with pipex, had a reseller account. They were great when they were Webfusion, turned to sh*t when pipex took them over. I have only been here since feb this year.

To be honest I am really not experienced enough to offer any advice, but I would consider payment gateways like google, paypal, egold to handle that. Would also look into doing exaclty what you would want to do, but see how much someone like WorldPay charge for using their service on my site.
I think you would be fine with CC details in a db as long as it is secure, just not sure about whether I would be happy if you stored my CC number also

[byteme]

Ah, OK well I am going to encrypt and store in db and access only bt https so we should be hunky dory

My moan was not knowing exactly what was on offer, it is hardly supposed to be a state secret. Pipex did offer encryption on shared ssl and allowed me to link my own checkout.

Mine is more secure than paypal or worldpay - they have both been successfully hacked where as mine has remained secure so its encryption by me and up to a db by me via https

[jon123]

Quote:

Mine is more secure than paypal or worldpay - they have both been successfully hacked where as mine has remained secure so its encryption by me and up to a db by me via https

To be fair to them, there are thousands of people trying every day to hack their servers. I don't think any sensitive data was hacked though...or was it?.............who really knows! Can't be sure of anything these days. Infact i just learnt that Kev on this forum is actually a spambot...who'd have thought!

I agree though that getting straight answers sometimes seems to be a huge problem.

[Administrator]

Quote:

Originally Posted by jon123

Infact i just learnt that Kev on this forum is actually a spambot...who'd have thought!

lol. you find it difficult to stay alone in any thread. right ?

lets wait for Kev. He is surely most human spambot !