Matt, I have contemplated this on a couple of occasions.
First, you have to make sure the entire session is
SSL so that the data can arrive with a degree of security
to your server.
Next, you should use a public/private key system and encrypt
the credit card with a public key, store the private key's
TOTALLY off the server.
Now the only way to unencrypt the credit card is with the
private key, which you do not have on the internet at all.
The main *idea* behind this is encrypting the CC num with a
public key, and then only unencrypting it with the private key
(not on the internet) when absolutely necesarry) rendering
the database useless unless you have access to the private
keys.
This is grossly oversimplified since on a step by step level
this is pretty complex.. but thats the idea.. an okay starting
point there are tons of papers out there (especially dealing
with php..) about this stuff, so you can get a great starting
point from some of that documentation.
Jeremy Allen
elliptIQ Inc.
>-----Original Message-----
>From: Matt Wisdom [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, January 17, 2001 10:47 AM
>To: CF-Talk
>Subject: Storing/Encrypting Credit Cards
>
>
>We need to store credit cards in a certain situation. I realize
>that this is
>recommended against.
>
>That being said, I have searched through the archives, and I haven't found
>any solutions that are great. The best I found was to use a solid ( or
>"pretty good" ;-) encryption for the credit card numbers in the database,
>and then force the hacker to figure out how CF is unencrypting the numbers.
>The other suggestions were ways to further obfuscate this process, but none
>were "100%" solutions.
>
>An alternate solution I am considering is to store part of the credit card
>in our database, and part in a user cookie, both encrypted of course. We
>already have a cookie requirement in the case where we need to store credit
>cards, so that is not a problem. Also, I don't think that the users will
>mind only being able to access their credit cards from the machine from
>which they were saved.
>
>Is anybody utilizing this method?
>
>Matt
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
