Is TUC Affected by Heartbleed?
Posted: Thu Apr 24, 2014 11:42 am
I had been asked about the following concern by league team members who were about to register for their memberships....
"is it safe to pay for our membership fee online... considering the heart bleed bug?"
I know we're never 100% "safe" transacting online, but are TUC's SSL servers patched to address the bug?
Posted: Thu Apr 24, 2014 5:00 pm
The TUC server doesn't actually process payments. When you click the "pay" button, you are sent to a third-party server, run by Chase Paymentech, one of the largest online payment providers in the world. When the payment is completed, Chase sends a notification to the TUC server, but this notification does not include your credit card number. I can go into detail about this if you want, or anyone that's so inclined can look at the Zuluru code on github.
In short, the server that needs to be secured against Heartbleed is Chase's not TUC's. I can't find anything specifically related to the Chase Paymentech server that we interface with, but I did find notices from the Chase personal banking site, as well as FrontStream Holdings, which appears to be related to Chase Paymentech, both of which state that they are not vulnerable. And I really can't imagine a company as big as Chase leaving a vulnerability like this open, if they were even subject to it in the first place.
Posted: Thu Apr 24, 2014 5:17 pm
That's good enough for me. Thanks Greg.