I just sent an email to my client yesterday, telling him that the site I'm doing for him is now ready to be beta-tested. In that email I spent about 3 paragraphs emphasizing that even though (before the site goes live) I'll set up the site to use SSL, and a suitable encryption scheme for the emailing of the CC nums from the site box to his box, there are tools available on the Internet that allow even a "12 year-old no brainer to crack websites".
Now, clearly, my intention is to do everything I know of (and everything that $700 can pay for, because that's all I'm charging :) to make it difficult to crack. ie. the CC numbers are never written to disk, and as mentioned I'll be implementing SSL and likely PGP for the emailing of the CC nums.
But what is recommended to disclaim all liability for any consequences that may result from the operation of this site? Do I write out a liscense on paper and have him sign that document or something (eeek...this smells like lawyer's fees to make sure it's worded to be able to stand up in court). Is there a standard disclaimer I should put at the top of each source file? Do liscenses really buy you any safety in this situation? I'd be interested to hear your thoughts and your experiences.
As a point of note, I'm not too picky on the distribution terms (ie. GPL, BSD, Artistic, etc), but more concerned about disclaiming liability in a scenario for which I am clearly doing everything I know of to keep it secure, but still want to be able to sleep at night when the site goes live.