On Fri, 6 Jan 2006, Neil Smith [MVP, Digital media] wrote:

Peter Beckman wrote:
So I'm thinking about how to save credit card numbers in the DB, for
re-charging cards for subscriptions, new orders, etc.

 Yes yes, lawsuits, scary, etc.

I'm glad you're so blase about this and the threat of your business going

 Not blase -- just sick of hearing "don't do it" "you'll get sued"
 "impossible" "what's wrong with you"

 I want to secure this information, responsibly.  How? (You answer this

Security by obscurity is a myth.

 I believe you -- and if obscurity is a myth, let's document how it can be
 done safely for all the world to see and learn!

*DO NOT* store any credit card numbers on any publically accessible
system. Ever. Period.

 Sometimes when questions are asked a background of the knowledge of the
 poster is not given.  I would never do that.  A server that is connected
 to the internet directly storing credit cards is asking for a lawsuit.
 It's got a sign with "please hack me" on it.

OK now to the candy : I've had this book a while, and it's one of the most insightful and well researched (from experience) books on security I've ever read. In fact - so good I'm going to go to the trouble to retype an excerpt of a section called "One-Way Credit Card Data Path for Top Security"

(Bob Toxen) have come up with the concept of a one-way credit card data path.

 Now THAT is exactly what I was looking for -- THANKS!  I'll go get the

(snipped section about spot welded steel pipes encasing LAN cable !)

 *laugh* That might be a bit of overkill... but I get the idea.

The CC server then contacts the processing bank through the private network to charge the amt, store the authorisastion number if successful and returns either "Success" or an appropriate error message

 Obviously most CC auths are via the 'net + SSL, private networks don't
 apply (and they are kind of cost prohibitive).  If you have a
 router/firewall/ipfw between your CC and the 'net, blocking incoming but
 allowing outgoing to your cc auth host ip(s), is that good enough?  What
 else can be done?

As Bob's book is so bloody good, here's the ASIN for it in case you want
to read all 650 pages of good advice ;-)

 Thank you Neil -- sold!

Peter Beckman                                                  Internet Guy
[EMAIL PROTECTED]                             http://www.purplecow.com/

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to