been silent on this one :)

I have considered implementing something for the wonderful CFWEBSTORE that
we use as a base for our commerce implementations...

some ground rules for whatever you use:

1. Store CC number + expiration + name in encrypted format... any one of the
three fields got in plain text could be the start of compromising the
rest...

2. Ideally, the password, keypad used to create the encryption schema
shouldn't be found in plain text anywhere on your server.

3. Your decryption key/password should change with some regularity and be
unique to each client.

4. Any swap spaces (disk) that is used to encrypt stuff should be routinely
wiped of data and overwritten to make recovery impossible.

As far as the encryption methodology, the RSA has proven itself to be some
of the best stuff widely used to date. If you can buy the base technology
and implementation at a price you/client can afford.

IN the case of monthly renewals... If the cycle is set to auto-rebill, store
the key yourself and have someone type it in while connected via SSL to the
server as a monthly task....

If the renewal requires authorization each month from the card holder,
create a form-based solution for the customer... Pull a faked TRANSACTION
identifier that identifies the person/last transaction. Get a Yes or No from
them to rebill... Ask them if they want to use the credit info you have on
file... then have it added to a nightly batch or in the case of live time,
you would have to store your pad in server's memory .... Recommend a daily
batch job ran by administrator with the pad....  Ideally, with one set of
keys the operator controls the show... with truly encrypted data, if a key
is lost there is no data... :)

Been through the consideration of this sort of solution for a while. Never
found the real need in my world to implement it... Will be glad to share
more with greater details provided by anyone.  I believe that these sorts of
subsystems will become mandatory shortly for anyone taking transactions
involving banking info online.

-paris



-----Original Message-----
From: Don Vawter [mailto:[EMAIL PROTECTED]]
Sent: Sunday, November 18, 2001 22:55
To: CF-Talk
Subject: Re: Best practices storing CC


I don't think client and customer are the same Jim. I think by client she is
referring to the site owner who goes in once a month to process the cards of
his customers.


----- Original Message -----
From: "Jim McAtee" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Sunday, November 18, 2001 8:42 PM
Subject: Re: Best practices storing CC


> ----- Original Message -----
> From: "Kay Smoljak" <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Sent: Sunday, November 18, 2001 8:28 PM
> Subject: Re: Best practices storing CC
>
>
> > Hi Don,
> >
> > Warning: this email does contain a plug...
> >
> > We had a similar problem with a client who has a subscription site. We
> > created a custom tag - CFX_PWCARDCRYPT, which encrypts the number using
> > a 512, 1024 or 2048 bit RSA public key, which can safely be stored on
> > the server. To process the payments each month, the client goes to an
> > SSL page and enters his private key, which is only stored offline on his
> > personal computer (we even recommend it's stored on a floppy disk in his
> > safe, rather than on his machine).
>
>
> Somehow, that sounds like a lot more work for the customer than simply
> reaching into his or her wallet, grabbing the CC and re-entering the
number.
>
> Jim
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to