Stephen, you're correct regarding the Public/Private key functionality. You could write a CFX tag which uses the public key to encrypt and the private key to decrypt. All you have to worry about is hiding the private key.
You should hide and obfuscate the private key so that it's hard even for you to retrieve it (without leaving some kind of trail). Do this simply for your own protection - if the fraud police come knocking on your door you'll need to prove that "it wasn'y me!". Also, remember to encrypt the CV2 number. Douglas -----Original Message----- From: Stephen Moretti [mailto:[EMAIL PROTECTED] Sent: 17 September 2003 19:20 To: [EMAIL PROTECTED] Subject: Re: [ cf-dev ] Credit card encryption > Exactly as, with any public cflib encryption technique it will show you hope > to encrypt it, but conversly it will show you how to decrypt it. > eh? You cannot decrypt anything that has been encrypted using a public key unless you have the private key. The two keys are not the same, so you cannot decrypt using the public key that was used to encrypt the 'text'. This is the reason that you must not keep the private key on your public web server. Encrypt on the server, decrypt off the server or use SSL to view the "credit card page" (as you should anyway) and have a box that you have to paste the private key into everytime (or something like that). Small caveat.... I may have my public and private keys the wrong way round, but the principle is correct. > does mySQL have a hashing function anyway? > Wouldn't make any difference. If its one way, then you lose the credit card details. If its two way then you must have a single encryption key somewhere, which then leaves you open to hacking and easy decryption. Stephen > -----Original Message----- > From: Stephen Moretti [mailto:[EMAIL PROTECTED] > Sent: 17 September 2003 17:00 > To: [EMAIL PROTECTED] > Subject: Re: [ cf-dev ] Credit card encryption > > > Andrew, > > You need to use some form of encryption that uses public and private > keys. eg. PGP > > You store the public key on the server and the private key somewhere > else. You encrypt using the public key, but can only decrypt using the > private key. As long as the private key isn't on the server and kept in > a safe place then your CC details should be fairly secure. > > Regards > > Stephen > > > Andrew Levett wrote: > > Afternoon all, > > > > I know its not best practice but we need to store credit card details in > > a MySQL db, does anyone know of a safe way to encrypt the cc number? > > > > The main problem I see is that the key will need to be stored within the > > db as well - therefore I am thinking of using some of the data already > > in the db as the key. > > > > Anyone got a better idea? > > > > Cheers > > > > Andy -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED] -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
