Possible ethical dilemma

[pstylesss]

I have a client who outsources his website development work to me. The current client I am doing work for wants to accept credit card transactions online via donations and a joining fee.

I informed my client that his clients easiest route would be paypal and second would be through their banks online merchant service. Apparently, they are insisting that the credit card information is emailed to them and they process it manually. Through email I have told my client that it's not secure enough. Even with SSL on the server and if they connect to the email server with SSL it's still not secure. The webserver and email server are on the same box.

I gave them the only way I would be comfortable with not using a merchant service, but the cost for me to code all that was very high and they didn't want to pay.

So, my ethical delima is whether or not I refuse to put in the code to email the CC info since I know it's not secure even though I have informed them.

So what do you guys think?

 

[JakwoW]

do it

 

[magomago]

Don't do it, especially if you have a problem with it yourself.

That said, ethics and morality seems to often be ignored in the business world.

edit:

hammer them on using an online merchant service. They exist exactly for this reason.

 

[AreaCode707]

I would submit a written risk evaluation of their options and state that professional standards do not allow you to assume the level of risk for their preferred option. Identity theft is a PITA and standing up against a company that doesn't realize the risk at which they put their customers is a totally honorable thing to do.

 

[Skeeedunt]

No way would I be responsible for that kind of clustefuck.

 

[kranky]

Originally posted by: AreaCode707
I would submit a written risk evaluation of their options and state that professional standards do not allow you to assume the level of risk for their preferred option. Identity theft is a PITA and standing up against a company that doesn't realize the risk at which they put their customers is a totally honorable thing to do.

I like this idea a lot.

And please don't initiate an SSL connection if the data isn't going to be handled securely. It's like a bait-and-switch deal.

 

[randay]

money is money

 

[A Casual Fitz]

Originally posted by: AreaCode707
I would submit a written risk evaluation of their options and state that professional standards do not allow you to assume the level of risk for their preferred option. Identity theft is a PITA and standing up against a company that doesn't realize the risk at which they put their customers is a totally honorable thing to do.

:thumbsup:

 

[MagnusTheBrewer]

I'm in a dilemma in regards to your "delima." Don't add to the intarwebs problems by allowing them to create an insecure money transfer system.

 

[ConstipatedVigilante]

Just say you're not willing to accept any risk of liability for people's money being at risk; they have to pay for the secure transfer or nothing.

 

[Pepsei]

Originally posted by: ConstipatedVigilante
Just say you're not willing to accept any risk of liability for people's money being at risk; they have to pay for the secure transfer or nothing.

this

 

[pstylesss]

Originally posted by: MagnusTheBrewer
I'm in a dilemma in regards to your "delima." Don't add to the intarwebs problems by allowing them to create an insecure money transfer system.

Thanks, fixed it! :thumbsup:

Originally posted by: magomago
Don't do it, especially if you have a problem with it yourself.

That said, ethics and morality seems to often be ignored in the business world.

edit:

hammer them on using an online merchant service. They exist exactly for this reason.

Originally posted by: AreaCode707
I would submit a written risk evaluation of their options and state that professional standards do not allow you to assume the level of risk for their preferred option. Identity theft is a PITA and standing up against a company that doesn't realize the risk at which they put their customers is a totally honorable thing to do.

I had done this when I outlined the program I intended to code for what they wanted.

Originally posted by: kranky

Originally posted by: AreaCode707
I would submit a written risk evaluation of their options and state that professional standards do not allow you to assume the level of risk for their preferred option. Identity theft is a PITA and standing up against a company that doesn't realize the risk at which they put their customers is a totally honorable thing to do.

I like this idea a lot.

And please don't initiate an SSL connection if the data isn't going to be handled securely. It's like a bait-and-switch deal.

That's what I tried to explain to them...

I have emails documenting all our conversations about this.