On Thu, 5 Jan 2006, John Meyer wrote:
Peter Beckman wrote:
So I'm thinking about how to save credit card numbers in the DB, for
re-charging cards for subscriptions, new orders, etc.
Why, is the first question I would ask you.
So I'm thinking about how to save credit card numbers in the DB, for
re-charging cards for subscriptions, new orders, etc.
Think one-click. Why did Amazon patent one-click? Impulse buys -- the "I
want that, now" factor. If you make 13 steps and 12 input boxes, the
Impulse will probably pass, and you've lost your sale.
Besides, the user can choose if they want you to save their card info.
First off, on a new order, why wouldn't you just save the authorization
code, instead of the credit card number? That would be a lot easier.
Sure. But see my above point. I want to be able to re-charge it later
when the user wants to.
Secondly, you're opening yourself up to
a _ton_ of lawsuits should anything go awry. Unless I had a _real_ good
reason for storing their cc number, I wouldn't, despite the extra step.
Yes yes, lawsuits, scary, etc. I was looking for technical solutions,
i.e. maybe someone knows how USPS.com or Amazon.com or GoDaddy.com (do
they?) does it. Or if it is all security via obscurity.
Best solution yet:
Public key encryption, with additional either secret word padding or
using the users account password to pad/encrypt the card number
(preventing a brute force attack, even if access to the DB is given).
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
[EMAIL PROTECTED] http://www.purplecow.com/
---------------------------------------------------------------------------
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
