Just to clarify a few technical issues folks have been talking about:
HASHING I am somewhat familiar with cc gateways. Generally, to make a cc purchase your app needs to send a credit card gateway the following info: credit card number, person's name (as on cc), their billing address and their card expiry date. "Hashing" this information makes it useless for this purpose. A hash, for those of you not up on crypto terms, is an algorithm that takes a string (of any kind) and reduces it down to a fixed-length (usually) number. Say for MD5 (the most popular) it would reduce an n-length string don to just 16 bytes. You can not retrieve information you have "hash"ed back to the original string (it's a lossy action). You can only compare hashes to each and see if they are the same. (If you hash two cc and their hash's are the same then the cc numbers "probably" the same.) (The type of alg that you can unencrypt the data from is basically called "symmetric".) Anyway, again, hashing cc's, etc has no use for this purpose. FYI. STORING CC's I advise again it basically for the possible legal reprecussions if your site is hack, BUT... if you you really have to store for monthly billing's etc, the safest way is something like: Buy a seperate computer. Allow only this computer to talk to the cc gateway. Allow only other computers on that lan to talk to it. Use a firewall between them. Set the firewall to the most hard-ass settings possible. Now, add software to that computer. Only the bare essentials. Preferably linux or freebsd with a minimal os install. Apache or Stronghold. Now, lastly... you add 1) a database 2) and something to script you code in (cf or perl or c++, whatever you prefer). This script has three function: Add, Delete, Submit-to-gateway. The database has a table consisting of the cc-type I mentioned above plus an ID field which corresponds to the ID of the customer in your main database. When a customer is added (or they change cc's) you send this info to the firewall's computer and it adds it to it's database. When you need to bill them you send it the customer's id and the amount. The computer then looks up their cc info and sends the data to the cc gateway. In this fashion even if you main website is completely penetrated by a hack, then CAN'T ask the firewall'd computer for any of it's cc info. This is basically the template you want to follow if you're building a large business, because... even in the remote chance somehow they manage to penetrate firewall'd computer, from a legal stand-point you will have done about everything that is humanly possible to safe-guard that information. Very usefull if it ever comes up in court. --min ______________________________________________________________________ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
