I have a similar situation with a project I'm working on but it would required me breaking some of the suggestions posted. The project I'm working on is a membership site in which members can be doing multiple transactions within a weeks time. We wanted to allow users to have their CC info stored on our server to allow them faster checkout times for all of these transactions. I believe Walmart and a few other large online stores do this. I was planning on doing some sort of encryption of the numbers and do some of the other "confusion" based security, but I'm just wondering if anyone else has dealt with anything like this.
John Burns Certified Advanced ColdFusion MX Developer Wyle Laboratories, Inc. | Web Developer -----Original Message----- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:00 AM To: CF-Talk Subject: RE: Credit card storage Les... We've used that same method. Storing half and emailing the other half. I've got comments in my code stating that I'm "nervous about this part". :) <!----------------//------ andy matthews web developer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --------------//---------> -----Original Message----- From: Les Mizzell [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 9:43 AM To: CF-Talk Subject: Re: Credit card storage > My question is, is there a safe way to do this. I am pretty reluctant > to store credit card information I have one client that has insisted on processing their CC order in-house as well. No matter how hard I tried to talk them out of it. What I ended up doing - because I was scared as hell to store a complete number *anywhere*...(and I *know* it's a convoluted mess...) A. First, the entire number is encrypted B. Then 1/2 of it is sent through email to the client along with a false random generated "the rest of the number". C. The other 1/2 is stored in the database, along with two additional false fields with random generated encrypted numbers. D. Once they login and retrieve the portion from the database, it's automatically deleted, so nothing stays in the database for over 24 hours. So, I figure if an email is intercepted, and if the encryption is broken, they've only got 1/2 the number at best, and they still have to figure out what half they've got. Same for the database. If anybody breaks in, they'd only get, at best, 24 hours worth of numbers and even if the encryption is broken, they've still got to figure out what fields are real and which ones aren't. This was the best I could figure out at the time this was done. I'm *still* pressuring them to move to a merchant account through their bank for security purposes. I've got a signed disclaimer stating my disapproval of the method being used. Client always knows best, right? Sheesh! -- ----------- Les Mizzell ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218951 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
