Where I work we have an ecommerce system on an intranet set up to process customer’s credit cards. Currently when we charge a customer’s credit card using Authorize.net we are not sending the credit card info to Authorize.net over a secure connection. Instead it goes over regular http. I’d like to get other opinions of how serious/negligent this is. Thanks.
EDIT: It looks like I’m wrong. I snooped around in the code and it looks like it’s processing the credit card at https://secure.authorize.net. However, the web page where the credit card is entered is not secure. This is a different situation than I originally described. Sorry about that.
This seems very negligent. There have been too many leaks of credit card information to allow this sort of behavior.
Even if the processing was handled internal to your intranet, and not being sent up to a 3rd party, I would recommend using secured connections. You don’t want this to be accessible by anybody, even internal, non-authorized employees.