I guess I'm a bit too paranoid to even THINK about putting credit card numbers in one of my databases. Just thinking of the potential liability is staggering. Can you imagine your clients' attorneys asking you to explain your own encryption algorithm to a judge? Or why you used a public algorithm that had known vulnerabilities (that you didn't necessarily know about).
Banks and financial institutions can keep the liability headaches to themselves. You know how you make money on wall street? Controlling your risk. I like to follow the same advice when it comes to potential lawsuits. Tom Nunamaker Paladin Computers Macromedia Certified Advanced ColdFusion 5.0 Developer http://www.toshop.com/ [EMAIL PROTECTED] -----Original Message----- From: Bill Davidson [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 27, 2002 10:55 AM To: CF-Talk Subject: Re: Best way to store credit cards in database? Roll your own encryption. I remember awhile back some posted their algorithm for encryption in CF, and it seemed pretty solid. If you use your own encryption scheme, it would be a lot harder for a hacker to decrypt the CC number. Using a public standard (like cfencrypt) is not a very good solutiion. I almost went down the path of cryptology - its a lot of fun, but I didn't want to work in a vault the rest of my life. -Bill www.brainbox.tv ----- Original Message ----- From: "Jeff Fongemie" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Sunday, January 27, 2002 10:17 AM Subject: Best way to store credit cards in database? > Sunday, January 27, 2002, 10:12:15 AM > Hello CF-Talk, > > I've got a simple site, and uses a small Access database. We will be > taking credit cards. > > Wondering what others consider a realistic practice to ensure > security to a reasonable level. What do others do? > > The site will have a SLL, but I'm thinking along the lines of > encrypting the card number. However, I know how unsecure ColdFusions > encryption is, so why bother? > > If people do somehow encrypt the card number, would you be willing > to give examples? And I guess I'll need a way to unencrypt the > numbers in an admin area. > > I've seen where a site will store half of the number, and the second > half gets sent by email to the shop owners. Then the shop owners > need to go in and match up the numbers. > > Thanks for any advice, recommendations on this. > > > Best regards, > Jeff Fongemie mailto:[EMAIL PROTECTED] > ______________________________________________________________________ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
