Very good points across the board. Technically, I do not need to store the credit card info in the db. However I do need to securely send/pass/or make available the credit card info to the receiving company. Maybe there is a better method to do so.
Steve -----Original Message----- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 12:53 PM To: CF-Talk Subject: Re: Form Encryption You can use asymmetric-key RSA encryption economically... http://developer.perthweb.com.au/textcrypt.html I've been using that tool for many years. its about as safe as you can get for encrypting stored data. Key part of that phrase is "as you can get". The problems with symmetric key encryption were already well-stated. Don't even think of doing that. In theory a combination of SSL and a 128-bit RSA encryption provide a commercial-strength solution, but I would argue that its a horrible idea to store credit card info on a server you are responsible for. Its such a gross violation of best or even acceptable practices in the IT and financial industries that the liability you will bear if the chain of custody on the private key is compromised... the liability you will personally incur, as well as what your client will incur... its not worth the risk. I would suggest that, if you are storing data encrypt ALL of it to make the job more difficult. Do not name the fields with hacker-usable names (like credit_card_number) Use symmetric key encryption to encrypt first, then use asymmetric to encrypt that. Access your db server via a 2nd nic and make that 2nd nic go to the other server via internal IPs only. ..... and say your prayers regularly. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280274 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
