A clarification on terminology: A HASH is an Asymmetrical function -- this means that you don't "UN-HASH" something and get the original value. Although technically, a Hash is a form of Encryption, it is not intended to be reversible. There are Encryption algorithms which are symmetrical or 'reversible' so you need to make sure you have a corresponding Decrypt algorithm before you Encrypt it.
brendan avery 2.0 - [EMAIL PROTECTED] 310.779.2211 - santa monica, california > -----Original Message----- > From: Jennifer Larkin [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 12:05 > To: CF-Talk > Subject: Re: Best way to store credit cards in database? > > > He realizes that there are security problems and that's why > he's asking for > help. That also implies that he doesn't really have a choice in this > matter. Sometimes it isn't a customer requirement, it's a client > requirement. I had this as a client requirement on a project > before and > they were not willing to back down on this even after five developers > working for two companies told them not to do it. Here was > the rationale: > "They do it on Amazon and we want to make it as easy for > people as Amazon." > > To answer Chad's question, hashing the credit card number > might work for > you. It might work best to hash other unstored information > with the credit > card number just to make it a bit more complex data set, perhaps the > expiration date. I can't recommend a specific hash function > because I don't > know specifics on any of them. I just have an idea how they > work. Keep in > mind that if you hash the credit card number you'll need to store the > information somewhere else for processing. It is common to > show the last > four digits of the credit card number so the users can verify > that they are > using the credit card they mean to use. You would have to store this > information separately from the hashed credit card. > > A friend of mine was looking over my shoulder yesterday when > I replied to > this thread and he was really impressed with the number of > security-minded > developers involved in this discussion. > > At 01:39 PM 1/28/02 -0500, you wrote: > >Store everything but the number and communicate with the users why yo > >u are not storing them. Asking them to retype everything is a pain b > >ut just the CC, na, I don't think you would here anyone complain, the > >y would probably like that... > > > > >>> [EMAIL PROTECTED] 01/28/02 12:48PM >>> > >What about return visitors that want to store their CC number? MD5 h > >ash on > > > >the number? then store it in the database? > > > >At 11:56 AM 1/28/2002 -0500, you wrote: > > >here here, all we keep are the last 4 numbers.....let the > banks worr > >y > > >... > > > > > > >>> [EMAIL PROTECTED] 01/27/02 07:00PM >>> > > >Don't store the credit card numbers at all. Just process > the transa > >c > > >tion > > >immediately and store the rest of the order information. > > > > > > > > > > > >----- Original Message ----- > > >From: "Jeff Fongemie" <[EMAIL PROTECTED]> > > >To: "CF-Talk" <[EMAIL PROTECTED]> > > >Sent: Sunday, January 27, 2002 7:17 AM > > >Subject: Best way to store credit cards in database? > > > > > > > > > > Sunday, January 27, 2002, 10:12:15 AM > > > > Hello CF-Talk, > > > > > > > > I've got a simple site, and uses a small Access > database. We wi > >ll > > > be > > > > taking credit cards. > > > > > > > > Wondering what others consider a realistic practice to ensure > > > > security to a reasonable level. What do others do? > > > > > > > > The site will have a SLL, but I'm thinking along the lines of > > > > encrypting the card number. However, I know how > unsecure ColdFu > >si > > >ons > > > > encryption is, so why bother? > > > > > > > > If people do somehow encrypt the card number, would > you be will > >in > > >g > > > > to give examples? And I guess I'll need a way to unencrypt the > > > > numbers in an admin area. > > > > > > > > I've seen where a site will store half of the number, > and the s > >ec > > >ond > > > > half gets sent by email to the shop owners. Then the > shop owner > >s > > > > need to go in and match up the numbers. > > > > > > > > Thanks for any advice, recommendations on this. > > Now available in a San Francisco Bay Area near you! > http://www.blivit.org/mr_urc/index.cfm > http://www.blivit.org/mr_urc/resume.cfm > ______________________________________________________________________ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
