We use a CFX that does RSA encryption for someone who needed cards to be stored for longer periods. The client pastes in their private key (over ssl) to decrypt the numbers and process them. The numbers themselves are never shown, even over ssl.
/k -----Original Message----- From: Alan Rother [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 9:15 PM To: CF-Talk Subject: Re: Credit card storage I agree with Matt, it's not illegal. It does violate SOME credit card companies "policies" regarding the proper handling of credit card data. The one exception to the rule is if you encrypt the data when you store it. Don't use a one way hash, you need to use a strong encryption algorithm. Something like blowfish. The only real risk is if you are in a shared hosting environment someone can hack you site in minutes and find the decryption module and suck your database dry. If you are on a shared server I would not store credit card information in your database. There is NO WAY TO PROTECT YOUR DATA. I can't stress this point enough. If I have a website on the same server as you, it would take me a matter of minutes to completely hack your app and database. =] If you are on your own box and you can protect it throughly it would be OK to store the CC info, but I would still advise against it. On 9/21/05, Mike Little <[EMAIL PROTECTED]> wrote: > > thanks bryan, i am tending to think that the only option IS to go with a > payment server. m. > > >> Rather than use a dedicated payment server for their online store, they > >> wish for the transaction including credit card to be stored for > >> retrieval. They would then process the transaction manually using > >> EFTPOS. (each store receives orders based on the billing address > >> entered) > > > >Well that is illegal for one thing...if the cc companies catch them they > >will get spanked hard ;-) You MUST have a merchant acount(s) for ONLINE > >Txs....using the terminal for online sales is a no no > > > >Storing CC numbers opens the site up to an expensive security audit from > the > >cc companies and opens the client (and possibly yourself) to some major > >liability...DO NOT DO IT UNLESS YOU'RE SURE IT'S SAFE!! > > > >> > >> My question is, is there a safe way to do this. I am pretty reluctant > to > >> store credit card information - it would be in an SQL Server db at my > >> webhost. > > > >Yes...but see above ;-) > > > >HTH > > > >Cheers > > > >Bryan Stevenson B.Comm. > >VP & Director of E-Commerce Development > >Electric Edge Systems Group Inc. > >phone: 250.480.0642 > >fax: 250.480.1264 > >cell: 250.920.8830 > >e-mail: [EMAIL PROTECTED] > >web: www.electricedgesystems.com <http://www.electricedgesystems.com> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219162 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
