Ok, I've been reading the last few threads on this and pondering the best
way to approach this scenario (storing CC in DB) and I've come up with the
following idea:
1) The User's password is stored as a one-way HASH.
2) The Credit Card info (list of cc number,exp date and verification
number) is stored as an ENCRYPTED string with the User's raw password as
the key.
Interface-wise, this requires that:
a) the user type in their password when Adding or Updating a credit card
record in the db (so it can be encrypted)
b) the user type in their password when finalizing an order (so the cc
info can be decrypted to be processed)
c) When a user changes their password, all cc records in the database must
be updated using the old and new passwords
But this way, neither the users password, the encryption key nor the cc
info is stored unencrypted anywhere on the server.
Comments?
Tony Schreiber, Senior Partner Man and Machine, Limited
mailto:[EMAIL PROTECTED] http://www.technocraft.com
http://www.simplemessageboard.com ___Free Forum Software for Cold Fusion
http://www.is300.net ___________The Enthusiast's Home of the Lexus IS300
http://www.digitacamera.com ______________DigitA Camera Scripts and Tips
http://www.linklabexchange.com _____________Miata Link ECU Data Exchange
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
