I have also done this using CFX_PGP. In our case, we FTPed the order and PGP-encrypted CC info to a Unix server and they moved the file to a secure location behind a firewall and deleted it from the FTP folder. You could also do this via VPN.
Another question: has anyone found any shared hosts that support CFX_PGP? Thanks, Megan [EMAIL PROTECTED] Alpha 60 Design Shop http://www.alpha60.com phone: 202-745-6393 fax: 202-745-6394 > -----Original Message----- > From: Alex Santantonio [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 04, 2001 11:22 AM > To: CF-Talk > Subject: RE: Storing Credit Cards > > > If you must store credit card info, it might be a good > idea to follow some > of these steps in addition to the typical Secure > Certificate and so on. You > should absolutely encrypt them using PGP or some other > type of encryption. > I have used CF_PGP on several clients and it works > quite well. You could > probably use some sort of ASP PGP COM object with CF > instead of paying the > $400 for CF_PGP. In addition to this, you can also > create an automated > process that will transfer the card numbers from the > live database to > another database that is not accessible through the > site in any way. Then > write the good old xx*****xxxx to the live database > for future management. > Then you can transfer your billing software that you > write to actually > charge the cards on the schedule behind this secure > section so only people > within the office or from a certain IP address can > process cards. This will > at least make it much more difficult to get at this > data, and if your > database is hacked or stolen from your live site, the > only cards that might > even be in there would be the ones that were not yet > transferred, and those > would be encrypted in PGP so it would take someone a > good deal of time to > get at it that way. So in short. > > 1. Store credit cards PGP encrypted in the database > 2. Transfer on a schedule and store them in a separate > Database with the > info on the live database overwritten > 3. Move billing management behind a firewall or some > server that is no way > accessible to the outside. > > This should at least minimize your risk a bit. > > Alex Santantonio > Lead Developer > Macromedia Coldfusion 5 Certified Professional > Macromedia Certified Web Site Developer > [EMAIL PROTECTED] > www.doceus.com > > -----Original Message----- > From: Jeff Stone [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 04, 2001 10:55 AM > To: CF-Talk > Subject: Storing Credit Cards > > I am hoping that someone in this group may be able to > help me. The company > I work for is building a service-based ecommerce > website. Because this site > sells website space to other customers, I need to > charge these customers > monthly for the services we are providing. Therefore, > I believe I am going > to have to store the customer's credit card numbers in > order to charge their > cards every month for their continued use of our services. > > I have done quite a few product-based ecommerce sites > in the past and have > never had to face this issue. In the past, I have > used Cybersource and > Cybercash passing them the user's credit card > information at the time of > purchase and then just storing the authorization code > that was returned in > my database. Then, when the products were shipped, I > would pass the > authorization code back to Cybersource and they would > give me a billing code > that would confirm that a request for the card to be > charged had been > completed. This was very secure because I never had > to store the credit > card numbers at all. The only problem is that these > authorization codes are > only good for 7-10 days, so I cannot use this same > process for my current > customer. > > I know there are a lot of people out there currently > storing credit cards. > I know all of the ISPs must be doing it to be able to > constantly charge my > credit card each month. Has anyone done this before, > and if so, how? I > have spent the last couple of days looking for the best > encryption/decryption scheme, but at the sore lack of > information that I > have found, I thought I would turn to this group for > some advice (assuming > that someone out there must have the answer). I would > also be interested in > knowing if anyone is aware of a third party clearing > house or payment > processor that can provide a very secure credit card > storage service. As > you can tell, I am very hesitant to want to store > these credit card numbers > at all. > > Any help you all may be able to give would be much appreciated. > > Thanks again, > > Jeff Stone > Stone Grove Design > [EMAIL PROTECTED] > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
