it's generally a bad thing to store credit card numbers, but if you really wanna, try using something like pgp and have the passphrase be a product of their password. of course don't store the password ever either (that should be asymmetrically hashed ala md5 or stronger, preferably with some other buffer data so that reverse hash dictionaries can't be used.) this way, even if someone gets a hold of your database, they'd have to crack the passwords from the hashes in order to get the cc number, and if your hash scenario is tough and obscure enough to slow down brute force efforts, you'll have enough time to inform your users of the theft before anything bad happens with their cards.
and in any event, NEVER store CC or passwords on a sql server that has port 1433 available to the whole danged internet, because brute forcing your way into a sql server is actually really danged easy. on that note, if anyone wants a dictionary attack proggie for sql server: http://ntsecurity.nu/toolbox/sqldict/ brendan avery 2.0 - [EMAIL PROTECTED] 310.779.2211 - santa monica, california > -----Original Message----- > From: Chad Gray [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 09:49 > To: CF-Talk > Subject: Re: Best way to store credit cards in database? > > > What about return visitors that want to store their CC > number? MD5 hash on > > the number? then store it in the database? > > At 11:56 AM 1/28/2002 -0500, you wrote: > >here here, all we keep are the last 4 numbers.....let the banks worry > >... > > > > >>> [EMAIL PROTECTED] 01/27/02 07:00PM >>> > >Don't store the credit card numbers at all. Just process the transac > >tion > >immediately and store the rest of the order information. > > > > > > > >----- Original Message ----- > >From: "Jeff Fongemie" <[EMAIL PROTECTED]> > >To: "CF-Talk" <[EMAIL PROTECTED]> > >Sent: Sunday, January 27, 2002 7:17 AM > >Subject: Best way to store credit cards in database? > > > > > > > Sunday, January 27, 2002, 10:12:15 AM > > > Hello CF-Talk, > > > > > > I've got a simple site, and uses a small Access > database. We will > > be > > > taking credit cards. > > > > > > Wondering what others consider a realistic practice to ensure > > > security to a reasonable level. What do others do? > > > > > > The site will have a SLL, but I'm thinking along the lines of > > > encrypting the card number. However, I know how > unsecure ColdFusi > >ons > > > encryption is, so why bother? > > > > > > If people do somehow encrypt the card number, would you > be willin > >g > > > to give examples? And I guess I'll need a way to unencrypt the > > > numbers in an admin area. > > > > > > I've seen where a site will store half of the number, > and the sec > >ond > > > half gets sent by email to the shop owners. Then the shop owners > > > need to go in and match up the numbers. > > > > > > Thanks for any advice, recommendations on this. > > > > > > > > > Best regards, > > > Jeff Fongemie mailto:[EMAIL PROTECTED] > > > > > > >_____________________________________________________________________ > >_ > >Why Share? > > Dedicated Win 2000 Server � PIII 800 / 256 MB RAM / 40 GB HD / 20 > > GB MO/XFER > > Instant Activation � $99/Month � Free Setup > > http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc > >FAQ: http://www.thenetprofits.co.uk/coldfusion/faq > >Archives: http://www.mail-archive.com/[email protected]/ > >Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists > > > > > > > ______________________________________________________________________ Why Share? Dedicated Win 2000 Server � PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
