Matt Robertson wrote: > The robot has it right. You should only be transmitting cc info via a > secure gateway to a cc processor,
Agreed.... I've got one client that INSISTS on processing their web CC payments themselves. The only thing I could come up with that made me comfortable: 1. I've got a signed statement from them saying I'm not liable for anything that may happen due to their wicked ways! 2. The card number is split into 6 segments a. 3 of which are encrypted and stored in a database b. Expiry month is encrypted and stored in a database c. other 3 segments are emailed to them d. expiry year is emailed to them. They have to log into their admin system to retrieve the missing 1/2 of the CC info. As soon as they access it, it's automatically erased and replaced with random numbers, also encrypted. I figure if anybody breaks into the system, and finds CC1 through CC6 fields in the database, 1/2 of which is real numbers and 1/2 which is fake, and all of it is fake after less than 24 hours and all is encrypted - even if they broke the encryption they'd still only have half of the needed info and no idea of which half they had... It's convoluted, but it's about as secure as I could figure out how to do and still meet their request. Won't do it again for anybody else though. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create Web Applications With ColdFusion MX7 & Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280307 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4