I'm going to assume you have already explored the possibility of using
a cc processor that handles recurring payments on its own, thus
freeing you of the need to store *any* credit card information and
making your life a lot simpler and much more liability-free. I know
Bank of America's cc gateway does this and I'm sure many others do as
well.
So anyway, if you must store this information you need some strong
security. ColdFusion's encrypt() function is by no means strong
enough and shouldn't be considered to handle this job. That means you
either
1)roll your own encryption scheme or
2)Buy something and use it.
At US$39 I've always felt this CFX is the best value on the planet for
doing that job: http://developer.perthweb.com.au/textcrypt.html
I use the 1024-bit level and very likely so should you. 2048-bit keys
are very processor-intensive.
And as Dave said, your security is only as good as your key storage
and handling methods. If you put the private key anywhere on the
server or in the db, for example, that would be VERY bad. I usually
set up a deal where a user has to paste the key into a textarea field,
where it gets stored in a session cookie on their browser and used
from there.
--
--Matt Robertson--
MSB Designs, Inc.
mysecretbase.com
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
