I was browsing this site http://www.planet-bike.co.uk which is a bike shop near me, and I've noticed the checkout page takes card details over an unsecured connection. I was just wondering if there's actually a law against that, considering how easily someone could intercept card details from that site.
There's no law against it at all, but I'd send them an email if I were you and let them know. They probably don't know or appreciate how serious that is, they are a bike shop afterall! I found a bug in OcUK's checkout system that allowed the exact same thing and they took the matter very seriously and gave me a voucher. You never know
Wow, considering all the things we DO have laws against in the UK I'm quite surprised there isn't one for this I've emailed them to let them know, and also offer my company's services to them in order to fix their security issue I wonder how many people have bought from that website (it's a very well known company round these parts) completely oblivious to the fact they could have their card details stolen. I know of the guy who designed and built the site, and I'm really surprised he would do that Worrying.
I saw that, but the T&C doesn't say that the information is passed securely to worldpay, so they seem to have covered their asses there. I'm still waiting on a reply to the email I sent, I'll give it a week and then contact the local paper, otherwise its only a matter of time before someone gets scammed because of this.
Remember that SSL isn't the magic solution to the security problem though. For example, you might be sending data encrypted to their webserver, but there's nothing to say they aren't then transmitting that information unencrypted to a database server somewhere else. Or storing it in an unprotected database. Or just writing it to a file in the webserver's file system. Or emailing the information to sales@their-shop.co.uk and processing it manually. And you have no way of knowing if they are doing that kind of thing
I know, but world pay is a payment gateway, so they should be using curl (or similar) to post the SSL encrypted data straight to the worldpay servers. The main reason for payment gateways doing this is that if you want to store and process card details manually (in a cardholder-not-present manner) you have to undergo a PCI audit to make sure you are handling those details securely, which includes the requirement of SSL encryption. I find it worrying that worldpay allow un-encrypted connections to their payment gateway, every other gateway I've used requires encrypted connections. Although thinking about it, the connection between planetbike and worldpay could be encrypted, while the connection between client and planetbike is raw. Either way, they're doing it wrong
