> My question is, is there a safe way to do this. I am pretty reluctant to
> store credit card information
I have one client that has insisted on processing their CC order
in-house as well. No matter how hard I tried to talk them out of it.
What I ended up doing - because I was scared as hell to store a complete
number *anywhere*...(and I *know* it's a convoluted mess...)
A. First, the entire number is encrypted
B. Then 1/2 of it is sent through email to the client
along with a false random generated "the rest
of the number".
C. The other 1/2 is stored in the database, along with two
additional false fields with random generated
encrypted numbers.
D. Once they login and retrieve the portion from the database,
it's automatically deleted, so nothing stays in the
database for over 24 hours.
So, I figure if an email is intercepted, and if the encryption is
broken, they've only got 1/2 the number at best, and they still have to
figure out what half they've got.
Same for the database. If anybody breaks in, they'd only get, at best,
24 hours worth of numbers and even if the encryption is broken, they've
still got to figure out what fields are real and which ones aren't.
This was the best I could figure out at the time this was done. I'm
*still* pressuring them to move to a merchant account through their bank
for security purposes. I've got a signed disclaimer stating my
disapproval of the method being used.
Client always knows best, right? Sheesh!
--
-----------
Les Mizzell
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble
Ticket application
http://www.houseoffusion.com/banners/view.cfm?bannerid=48
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218943
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
