--- mock <[EMAIL PROTECTED]> wrote: > On Tue, Aug 10, 2004 at 08:57:14PM -0400, Geoffrey > Young wrote: > > > > >>but hiding the decryption key from technical > people is generally > > >>impossible > > > > > > > > > Only if they crack your application server. > Cracking the database or > > > sniffing packets would not be good enough, > assuming traffic to your > > > credit card company is over SSL. > > > > oh, sure. > > > > I guess I had a different mindset with all of that > - internal employees. > > for most big companies I would assume that > accessing the underlying Oracle > > financials database (or some other "enterprise" > solution) with _all_ the > > credit card numbers would be sufficiently > difficult for outside hackers. > > I'd be much more worried about the disgruntled > employee causing trouble. > > > > but you're right - crackers are a legitimate > concern for this kind of thing, > > and I wasn't aware of the role that verisign is > now playing (which I guess > > is the cost of having worked someplace where we > built everything from > > scratch). so, thanks for the knowledge :) > > > > --Geoff > > > > -- > > Report problems: http://perl.apache.org/bugs/ > > Mail list info: > http://perl.apache.org/maillist/modperl.html > > List etiquette: > http://perl.apache.org/maillist/email-etiquette.html > > > > This is about to go out to CPAN, but since it seems > there is some question > as to how to do this, I'll send it out a little > early. Attached is a module > for safely encrypting and storing credit cards using > the Business::OnlinePayment > interface. It uses a public RSA key and > Crypt::OpenSSL::RSA to encrypt a > randomly generated Blowfish symetric key, which is > used with Crypt::CBC to > encrypt the creditcard details. Also included is a > module for reversing the > transaction given the RSA private key. This allows > one to store creditcards > safely on the server, by not putting the private RSA > key on the same machine. > To retrieve the cards, simply pull the data to an > offline machine, and > decrypt using the RSA private key. Assuming you > aren't an idiot and leave > the private key somewhere internet accessible, this > should be as proof against > hackers as any other credit card processing. > > enjoy > > mock >
This sounds really awesome. Thanks. just what we need. Can one key decrypt the whole batch of cards? > ATTACHMENT part 2 application/x-tar-gz > -- > Report problems: http://perl.apache.org/bugs/ > Mail list info: > http://perl.apache.org/maillist/modperl.html > List etiquette: http://perl.apache.org/maillist/email-etiquette.html __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
