John Paul Ashenfelter wrote: >Actually, first step is moving to a NOT shared server.
Agreed. Shared hosting is a horrible environment when you need serious security. I was guessing the guy is stuck on that platform. >Actually, I'd highly recommend the MySQL encryption This is what I get for not looking at the function list for a long time. The AES option *is* awesome. The problem I still have is that not all db's support this (only mySQL?), and I have to keep the code compatible with everything my product supports... So I'm outta luck on that score. >I think industry standard choices are a much better choice than a 3rd party tool. Yup. That tool I gave the (bad) link to uses RSA encryption in 512, 1024 or 2048-bit key lengths. Not sure if that's still considered an industry standard? Cheers, -------------------------------------------- Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com -------------------------------------------- -----Original Message----- From: John Paul Ashenfelter [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 7:07 AM To: CF-Talk Subject: Re: Storing Credit Card Info ----- Original Message ----- From: "Matt Robertson" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, June 17, 2003 7:51 PM Subject: Re: Storing Credit Card Info > Holy cow... thats a very scary prospect. Obviously an SSL connection is the first step. Then... Actually, first step is moving to a NOT shared server. Virtual hosting and SSL are an issue. Sharing is an issue. Etc. Etc. And you want to make sure that the web to database connection is/can run SSL so things can't be sniffed at the ISP. > Encrypt the data. Don't rely on either CF or mySQL's encryption if you can all possibly avoid it. My personal favorite encryption method is cfx_textcrypt from http://perthweb.developer.com.au but I'm sure others on the list have favorites of their own. Actually, I'd highly recommend the MySQL encryption since you've got a lot of industry standard choices. CF doesn't have real encryption baked into it, though you could access the Java security toolset -- but MySQL's got all that built in. http://www.mysql.com/doc/en/Miscellaneous_functions.html Basic (keyphrase) encryption ENCRYPT() using the Unix crypt command is OK for general crypt, but I wouldn't use credit cards ENCODE() is not cool One-way -- not the best for credit cards :) MD5() SHA1() Two-way encryption (not a bad idea for credit cards) AES_ENCRYPT() (128 bit, 256 with recompile) added in 4.02 which is awesome DES_ENCRYPT() 3DES like a Cisco PIX does to your traffic, etc. Also needs SSL I think industry standard choices are a much better choice than a 3rd party tool > And as soon as you can get those cc numbers off the server, do so. Remember you have to ensure the integrity of the transaction throughout, so if you are planning on transferring to a local db then *that* connection -- be it a brute force ftp copy (possible under mysql but ugly) or a local cf server pulling data off the live box via a remote odbc connection -- has to also be ssl-secured. > Ditto that. Regards, John Paul Ashenfelter CTO/TransitionPoint > ------------------------------------------- > Matt Robertson, [EMAIL PROTECTED] > MSB Designs, Inc. http://mysecretbase.com > ------------------------------------------- > > > ---------- Original Message ---------------------------------- > From: "Issac Rosa" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Tue, 17 Jun 2003 19:02:14 -0400 > > >My client has a need to store credit card. What's the best, cost > >effective, most secure way of doing this? Is it just better to capture > >the information in the db and then download to a local db, and keep off > >the server? I'm curious to know what others are doing in this > >situation. Currently, the application and db (MySQL) are on a shared > >server. > > > > > > > >Thanks, > > > >Issac > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
