We have used Google form, Wufoo form to try to securely capture the info for IN-HOUSE processing.
Google form is unreliable and often blocked behind firm's firewall.
Wufoo does not allow storing CC info in their database
What is service or other alternative for us to securely store the cc info.
The purpose is to have people manually process the registration. Once the payment goes through, we notify the customer and remove the CC info from our database.
As soon as data is stored on a server, even for a second, you have to comply with PCI-DSS. This will limit your providers dramatically. Storing CC data on Wufoo/Google forms would not comply with it and makes you liable for quite sizeable fines.
Related
Google APIs can have usage limits, both on a per-user and a per-application basis. For example, the GMail API free tier is limited to a billion daily quota units across all users of your application.
This works for well-designed server-side applications, which can centrally ensure they obey these usage limits. However, I’m not sure how this is supposed to work for client-side apps. As Google’s documentation says,
Installed apps are distributed to individual devices, and it is assumed that these apps cannot keep secrets.
These apps are still supposed to use a client_secret and credentials, but these are assumed to not be confidential despite the name. However, just saying they aren’t secret doesn’t prevent abuse; a user of the app can take the credentials file and use it for a different purpose, perhaps one that uses the APIs more. What can an application developer do to prevent people doing this from burning through all the available quota?
Edit for clarification:
The use case that prompted this is a purely desktop app that doesn’t connect to any service except GMail (see https://github.com/mbrt/gmailctl/issues/48). If it weren’t for a global quota for all users of the app, there would be no reason to worry about individual users at all; they don’t connect to any service except GMail itself.
You could write a server app (a Cloud Function would work) which holds the secrets. Clients call your endpoint with some form of identifier and you return an Access Token. If your users have a browser, they can auth each time; if not you would need to request a Refresh Token which you store and use that to generate an AT.
Does anyone know how to get the information about user device that access the bot deployed in S4B channel and built using MS Bot Framework (C#).
I need to know about the options to detect the user device (Device type and OS) accessing the Skype For Business Bot. If there's a way to know whether user device is desktop or mobile. In bot framework the User-Agent header formatted similar to the string below:
SFBUserAgent (Microsoft-BotFramework/3.1+https://botframework.com/ua)
(The user agent from Connector returns the following:
fxversion/4.7.2563.0 osname/windowsserver2016datacenter osversion/6.3.14393 microsoft.bot.connector.connectorclient/3.14.1.1)
I want to know if UCWA can be used to detect the device type accessing Skype For Business bot.
UCWA is not able to do so, actually no client or client-facing api can provide such information. It's because User-Agent information is not part of the presence so the client doesn't publish it to other clients. The main purpose of this User-Agent information is for monitoring reporting purpose.
However there is still some space from server side to allow us to do something. If you have access to the Skype for Business server, you have several workarounds.
Get-CsConnections.ps1 is a well-known script to pull current logged in user from Lync server side. It was written in 2011 while we only had Lync 2010, but good news is it works fine with new version of Lync like Lync Server 2013, Skype for Business server 2015. This script needs to be run in Lync/Skype management shell or a Powershell session with Lync/Skype modules imported. It needs to run by using an Lync/Skype admin account.
To retrieve user agent for a particular user by using sip uri.
$UserHomePool = (Get-CsUser -Identity [sip address]).RegistrarPool
Get-CsConnections.ps1 -SipAddress [sip address] -Pool $UserHomePool
Connections.ps1 is the prototype script of the above Get-CsConnections.ps1, it's simpler but doesn't provide advanced features. You can look at it and decide which one you need.
Do it yourself. If you don't want to use 3rd party script or just want to do it in a simplest and pure way, it's possible to do it by querying it from server database. Lync/Skype server stores this user agent information in the dynamic database in Front End server. It's in the table dbo.RegistrarEndpoint of the database rtcdyn of the instance rtclocal.
Please notice that there is no public document about the database schema so you need to do a little guess and hacking yourself. Good news is all data in the database is strored in readable format so it shouldn't be a big issue.
In a very rare chance that you are not wanting this information in real-time, the monitoring report and database can be the best approach. It's not real-time data, the data is generated within 10 mins after a conversation is ended.
If you want to get it from monitoring database, you should look at SessionDetails view for P2P conversation and ConferenceSessionDetails for conference conversation. There are straighforward fields in the views called something like UserClientType to point out the user agent information for the certain session.
At last one thing I would like to remind is Skype allows user to logged in multiple clients simultaneously, so no matter how you make it work you still need to face the question which logged in client really matters to you if the user has multiple clients logged in.
I have a quick question...may sound a little straightforward but still want to throw it out there.
I am aware that typically a session is limited to a single browser and client instance.
With that said though say a user signs up on your mobile device and starts to do some shopping...maybe adds something to their cart and then decides that they want to complete the purchase on their desktop.
I have some people that want to call this a single session while technically its a new session.
Does this make any sense?
In theory this should work with Universal Analytics, at least for logged in users ( I assume that your users are logged in if they want to buy).
You can pass a client id as a parameter when you create the tracker. The client id is supposed to be formatted as UUID, so you'd have to store that along with your real client id in you backend system and pass it in to the tracker as a part of the confuguration json object (optional third parameter in ga create). Apparently this get retroactively applied to the running session (no written source for that but I recently attented a conference where a google employee said as much, so I assume this is legit).
So as far as it concerns data collection UA is ready for multidevice. I frankly do not know to what extent this already works in the Analytics Interface.
I recently had a glimpse at a Analytics Premium Account which already had some new multdevice reports. I don't know if the fact that those reports are, at least for the moment, absent from the free version means that multidevice tracking does not work yet on the free version (those reports are along the line of Venn diagramms for "How many users used more than one device" and the like).
I have implemented a feature in my application that allows registered users to send an email to a gmail account, which my server polls using Spring Integration, and then if it recognises the sender, stores the subject and body content in a database (via JPA).
I also want to allow users to be able to send files as attachments to these emails which I plan to store on AWS.
I'm sure there must be security implications with both of these features, but I'm not aware of what they might be.
So my question is, what are the security implications of allowing users to store email content in my DB and attached files on AWS?
TIA
You could have some problems when you will have many emails to process using a single email account (probably not a problem at the beginning). Also making yourself dependent on an external email provider may sound for you clients really unreliable (depending on your clients/business). Also someone could eat up all your space on gmail by sending too many emails that don't get deleted on time. Also when storing the files in AWS you must store the files with random filenames. Probably you will have to read some tutorials for that.
I am developing a feature in my app where I need to store the state of a particular series of actions between 2 users, just like an ajax based chat service.
The scenario is as follows:
A user can is able to see which other users are online and then challenge one of them. The other user receives the challenge and accepts it. Now both the users are given 5 questions each and the match starts simultaneously for them (almost simultaneously) Then as a user navigates thru the question or solves it, the state is updated on the other user screen as well.
Essentially this is very similar to a chat system like say facebook chat. I am able to see who all are online. I send a chat msg to my friend who can then respond to that and that response is seen on my chat window.
I believe all this can be achieved by using ajax. I can easily make ajax calls to .asmx webservices and retrieve objects for a particular user as Session can be accessed there. However, I am wondering where to maintain state because session is for a particular user and I want my particular object to be accessible for two particular users.
Where do I store the state? Or taking the example of Ajax based chat, where should I store what message User1 entered and when Uer1 entered how is it shown to user2?
I was thinking application object but read it is not recmmended.
What do you recommend for such a thing?
If you're trying to do "near real-time" message passing you might want to take a look at HTTP polling (a.k.a. long polling). I won't use SQL for temporal message passing and short-term state transitions like I've seen in the past. If running on a single web server just keep the state in session or in the ASP.NET Cache. If running on multiple web servers take a look at distributed caches like memcached, Velocity (Win 2008), or NCache. Then serve the cached data to the AJAX requests which are sitting and waiting (because of long-polling). The key design issue is the design of the cache keys (no pun intended), which would need to include the user's ID for user-specific event data.
P.S. There are frameworks for large-scale, near real-time message distribution that solve scaling issues which are hit when hundreds of clients are participating in long-polling at the same time. The broad name for those frameworks are 'Comet', and they are most useful when broadcasting the same messages to many clients.