I guess I'm a bit too paranoid to even THINK about putting credit card
numbers in one of my databases.  Just thinking of the potential liability is
staggering.  Can you imagine your clients' attorneys asking you to explain
your own encryption algorithm to a judge?  Or why you used a public
algorithm that had known vulnerabilities (that you didn't necessarily know
about).

Banks and financial institutions can keep the liability headaches to
themselves.

You know how you make money on wall street?  Controlling your risk.  I like
to follow the same advice when it comes to potential lawsuits.

Tom Nunamaker
Paladin Computers
Macromedia Certified Advanced ColdFusion 5.0 Developer
http://www.toshop.com/
[EMAIL PROTECTED]


-----Original Message-----
From: Bill Davidson [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 27, 2002 10:55 AM
To: CF-Talk
Subject: Re: Best way to store credit cards in database?


Roll your own encryption.  I remember awhile back some posted their
algorithm for encryption in CF, and it seemed pretty solid.  If you use your
own encryption scheme, it would be a lot harder for a hacker to decrypt the
CC number.  Using a public standard (like cfencrypt) is not a very good
solutiion.

I almost went down the path of cryptology - its a lot of fun, but I didn't
want to work in a vault the rest of my life.

-Bill
www.brainbox.tv

----- Original Message -----
From: "Jeff Fongemie" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Sunday, January 27, 2002 10:17 AM
Subject: Best way to store credit cards in database?


> Sunday, January 27, 2002, 10:12:15 AM
> Hello CF-Talk,
>
>   I've got a simple site, and uses a small Access database. We will be
>   taking credit cards.
>
>   Wondering what others consider a realistic practice to ensure
>   security to a reasonable level. What do others do?
>
>   The site will have a SLL, but I'm thinking along the lines of
>   encrypting the card number. However, I know how unsecure ColdFusions
>   encryption is, so why bother?
>
>   If people do somehow encrypt the card number, would you be willing
>   to give examples? And I guess I'll need a way to unencrypt the
>   numbers in an admin area.
>
>   I've seen where a site will store half of the number, and the second
>   half gets sent by email to the shop owners. Then the shop owners
>   need to go in and match up the numbers.
>
>   Thanks for any advice, recommendations on this.
>
>
> Best regards,
>  Jeff Fongemie                          mailto:[EMAIL PROTECTED]
>

______________________________________________________________________
Get Your Own Dedicated Windows 2000 Server
  PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER
  Instant Activation � $99/Month � Free Setup
  http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to