I'll repeat the warning about storing sensitive data in your db. If you don't have to (and there usually isn't a reason that can't be worked around) then don't do it. All of the transaction gateways I've dealt with recently (Authorize.net, Transfirst, Sage) have the ability to set up a profile for the customer on their server and then you can store the profile account info locally instead of the actual credit card.
That being said, AES is a good encryption algorithm and the one I would go with by default. The downside to that is that any encryption algorithm you pick in CF means that you are going to need a key that is also accessible to CF. In most circumstances, your app server is going to be publicly reachable and that represents a security risk. That would make me suggest that you consider database-level encryption options as well as your db server should not be publicly accessible at all. MS-SQL supports database-level encryption and, as for 2008 I believe, column level encryption so that only the columns you need encrypted are encrypted. I'm not sure about other dbms encryption setups but I'm sure they exist for at least the major commercial databases. Cheers, Judah On Tue, Feb 16, 2010 at 8:49 AM, Matthew Smith <[email protected]> wrote: > > What encryption algorithm would be appropriate for cc data? AES or blowfish? > What kind of performance hit would it have? > > Also, what datatype is used to store the encrypted info in the d ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330782 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
