for what company do you work if you dont mind me asking?
----- Original Message -----
From: "Derick Dorner" <[EMAIL PROTECTED]>
To: "Chris Cameron" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, July 01, 2001 3:23 PM
Subject: Re: Storing Credit Cards
> I am running a website that users enter a credit card # (we have several
> hundred thous users and this works fine) and they are stored in the
> database, and their membership is renewed monthly. I keep the credit card
> #'s in a seperate database with strict permissions, and ALL data is
> encrypted using mysqls function so its fast, and the salt to encrypt them
is
> stored in a binary file readable only by that server and select admins
> ..never had a problem. if i wanted to make it more secure i am doing
> this...i am writing a seperate compiled c program to enter the database
and
> do the membership renewals, rather than php, and this way the salt used to
> decode the credit card info is NEVER on plaintext on the server, and that
> program wont run on another server...so no matter how bad we are hacked,
it
> is very difficult to get the infomation from us. this seems to be a good
and
> fast method.
>
> ----- Original Message -----
> From: "Chris Cameron" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Sunday, July 01, 2001 4:27 PM
> Subject: Storing Credit Cards
>
>
> > A client has asked us to make him an application that requires us
keeping
> > Credit Card Numbers. I'm a bit concerned as it immediately remined me of
> > egghead.com (having all their CC #'s stolen).
> >
> > One of the ideas was to have the users password encrypted as an md5
hash,
> > and then to encrypt the users CC with their password. So we wouldn't
> > actually keep anything that could immediatly show credit card numbers on
> > the server. The problem this creates is whenever we need to use their
> > credit card, the user needs to enter in their password. Which would be
> > quite inconvenient as we'd use it in many places (like showing the last
4
> > digits to verify it's the right card).
> >
> > The only other idea was to just stick them in plain text and keep people
> > far away from the MySQL server.
> >
> > Has anyone had any experience with this? Or any suggestions?
> >
> > Thanks,
> > Chris
> >
> >
> > ---------------------------------------------------------------------
> > Before posting, please check:
> > http://www.mysql.com/manual.php (the manual)
> > http://lists.mysql.com/ (the list archive)
> >
> > To request this thread, e-mail <[EMAIL PROTECTED]>
> > To unsubscribe, e-mail
> <[EMAIL PROTECTED]>
> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> >
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
