Don Vawter asked: > Any advice on storing credit card info?
We're pretty radical about our beliefs on CC#'s: We don't keep them *anywhere*. We keep the last 4 digits and the CC type, and that's it. The CC# gets immediately PGP encrypted [1] and emailed to our processing center, where it is stored on a machine that, for all intents and purposes, is inaccessible via the web. We also don't have have any responsibility for the machine, so we have pretty much zero liability, which is exactly how we like it. We're CC#-phobic. :) > Does this make sense or am I making it too complicated > (or leaving something obvious out). Well, while the complexity of a system does not always relate to the security of a system, you never can be *too* secure. I think that any hoops that you can jump through for even the slightest bit more security are worth jumping through. Then again, that may just be my gov't contractor background speaking. ;) > What are recommendatsions on encyption, is DES ok or > do I need something else? If you *absolutely must* store and retrieve CC#s, then 3DES isn't a bad route. While it is tried and true (having been a gov't std for the last few decades), also know that it is being phased out and replaced. I think the normal key length for good 3DES encryption is up to 256bits? I may be a bit out of it, tho, as I haven't messed with it in a few years. You may also want to look into Blowfish/Twofish. I'm pretty sure there are CFX tags to do each of them. Also, if you haven't read "Applied Cryptography" by Bruce Schneier (sp?), do so. It's a bit thick, but it's totally worth it. It'll help show you that security isn't just about encryption and may even give you a few ideas for tightening up your CC# security. -R [1] Notes on PGP :: PGP is rather difficult to get talking to CF. There are pre-built solutions, but they are not for the tight of budget. The CFX_PGP tag is in the $300 area, but I haven't heard any complaints about it. PGP, Inc. has a solution, but it *starts* at $5500 per server. The current PGP tools (7.x) are *intentionally* hobbled to keep you from using them with web servers. [2] There is an API that you can use for the 7.x series, but it is new and completely undocumented, so you just have several hundred source files to work with if you want to build a CFX tag. The previous API is better documented, but it doesn't work with the 7.x series and is now unsupported. I wrote a huge journal entry on the trials and tribulations of trying to get PGP to work. I eventually got it to work, but I'm a bit hazy on whether or not my implementation is even legally/correctly licensed. My advice: tread lightly. [2] http://www.rickosborne.org/Journal/journal-1-69.cfm -R ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
