Matt:
You can do some heavy encryption and store it all in the database. Have the
encryption key be based on the users name, time they registered the card,
etc. Also, you can do ToBase64() and other such things and wind up with a
pretty good encryption that wouldn't require cookies. Also, store part of
the key offline on an intranet, so if the hacker manages to steal your
encryption code and db info, they still need another key to decrypt it.
I would really stay away from storing it in a cookie (even if it is
encrypted). Also, if you are going to be doing online sales I think that
bizrate and all those other security policy reviewer companies will NOT
support your site if you use this method.
--=@ greg @=--
----- Original Message -----
From: "Matt Wisdom" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Wednesday, January 17, 2001 10:47 AM
Subject: Storing/Encrypting Credit Cards
> We need to store credit cards in a certain situation. I realize that this
is
> recommended against.
>
> That being said, I have searched through the archives, and I haven't found
> any solutions that are great. The best I found was to use a solid ( or
> "pretty good" ;-) encryption for the credit card numbers in the database,
> and then force the hacker to figure out how CF is unencrypting the
numbers.
> The other suggestions were ways to further obfuscate this process, but
none
> were "100%" solutions.
>
> An alternate solution I am considering is to store part of the credit card
> in our database, and part in a user cookie, both encrypted of course. We
> already have a cookie requirement in the case where we need to store
credit
> cards, so that is not a problem. Also, I don't think that the users will
> mind only being able to access their credit cards from the machine from
> which they were saved.
>
> Is anybody utilizing this method?
>
> Matt
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
