Hi Shannon There will be both internet transactions and sales people. As it is Certificates move the data around and the info is later encrypted with a two way algorithm. There are facilities to change the passphrase and reencrypt the data. This is limited to one passphrase however.
As far as the liability, this is a much more secure scheme than what I see on comercial software; threfore, on second thought, I guess I am not to worried about the legal impact although I should check nevertheless. What I see on applications that have patched are extremelly complex algorithms that pass the data to the database. See the problem with that? just a little copy and paste of the function and you are a happy cracker. The salt is saved on the filesystem so why even with the algorithm if it does nothing more than slow down the application. Something that I was thinking is having the administrator log the sales representatives and load the passphrase to a variable and keept it in memory. At least not everyone knows this information and the process would be even safer than that of normal business that keep a hard copy of your credit card. well, thanks. If I find something I will post it here although I do not think there is a solution to this, if so, please share. Alvaro Zuniga Shannon Roddy wrote: > On Feb 9, 2004, at 6:27 PM, Alvaro Zuniga wrote: > >> Hi Shannon: >> This is the reason I am inquiring about this before I reply to this >> requres. I do not want to compromise the security of the data and I >> think this is as far as I can go saving CC info. It is already bad >> enough to know that the data is as secure as the passphrase but I >> guess that is not my problem, is it? I should probably look further >> into the limits of the liability. >> >> What's a good place written in the cookbook fashion to chack on that? >> > > Personally, I have no idea where to find good info on this sort of > thing. Unless of course you "Ask Slashdot" :-) But then again, you > would get lots of the same stuff, and no real useful information. > > Is this a web business? As in, are customers coming to there website > and placing orders? Or is this just a records keeping tool that is used > internally in the company for the salespeople? I would think this would > make a vast difference. > > Personally, I would find an attorney that would consult you on the > issues for a reasonable amount. > > Shannon > >> >> thanks, >> >> Alvaro Zuniga >> >> Shannon Roddy wrote: >> >>> On Feb 9, 2004, at 5:54 PM, Jim Carter wrote: >>> >>>> What's the URL? >>>> >>>> Jim >>> >>> Yeah, we could all get rich overnight.... >>> One other thing to think about though if you are acting as a >>> consultant to this person and the CC #s get stolen, you may have some >>> liability on your hands. IANAL but I would be hesitant to do this >>> without checking into the limits of the liability. >>> Shannon >>> >>>> >>>> -----Original Message----- >>>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On >>>> Behalf Of Alvaro Zuniga >>>> Sent: Monday, February 09, 2004 5:19 PM >>>> To: [email protected] >>>> Subject: [brlug-general] Securing Database Information >>>> >>>> >>>> Hello everyone: >>>> I have a question regarding saving credit card information to a >>>> database. This is what I normally do although my preference is not >>>> to do >>>> >>>> it at all of course: >>>> >>>> 1. use a SSL connection >>>> 2. encrypt with a passphrase obtained from the user >>>> 3. send the encrypted data to a database and then using something >>>> further like ENCODE in the case of MySQL. >>>> >>>> Then, to show data to the user I reverse the process. >>>> >>>> My question is: what is the safest way if any, to obtain critical data >>>> from multiple users and show this data to others. This data will be >>>> internet accessible on a shared hosting environment. >>>> >>>> This is for someone who insists in having the credit card >>>> information on >>>> >>>> the database, against my advise and who knows why. I figured using >>>> encryption would take care of that but it is limited to one user or at >>>> least one user knowing the passphrase. Now this application needs to be >>>> expanded to have multiple sale representatives. How do I go about that! >>>> >>>> Thank you for your help. >>>> >>>> Alvaro Zuniga >>>> >>>> >>>> _______________________________________________ >>>> General mailing list >>>> [email protected] http://brlug.net/mailman/listinfo/general_brlug.net >>>> >>>> >>>> _______________________________________________ >>>> General mailing list >>>> [email protected] >>>> http://brlug.net/mailman/listinfo/general_brlug.net >>>> >>> -- >>> Shannon Roddy >>> LIGO - Caltech >>> 225.686.3106 (work) >>> 225.933.7821 (cell) >>> [EMAIL PROTECTED] >>> _______________________________________________ >>> General mailing list >>> [email protected] >>> http://brlug.net/mailman/listinfo/general_brlug.net >> >> >> >> _______________________________________________ >> General mailing list >> [email protected] >> http://brlug.net/mailman/listinfo/general_brlug.net >> > > -- > Shannon Roddy > LIGO - Caltech > 225.686.3106 (work) > 225.933.7821 (cell) > [EMAIL PROTECTED] > > > _______________________________________________ > General mailing list > [email protected] > http://brlug.net/mailman/listinfo/general_brlug.net -- Alvaro Zuniga Information Techonology Professional Zunitek Solutions (337) 654 6515 www.zunitek.com
