Did you actually SNIP the "document[ation] how it can be done safely for all
the world to see and learn!" ???  Or are you saying go buy this book?

-----Original Message-----
From: Peter Beckman [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 06, 2006 10:54 PM
To: Neil Smith [MVP, Digital media]
Cc: php-db@lists.php.net
Subject: Re: [PHP-DB] Storing Credit Cards, Passwords, Securely,

On Fri, 6 Jan 2006, Neil Smith [MVP, Digital media] wrote:

>> Peter Beckman wrote:
>> So I'm thinking about how to save credit card numbers in the DB, for
>> re-charging cards for subscriptions, new orders, etc.
>>  Yes yes, lawsuits, scary, etc.
> I'm glad you're so blase about this and the threat of your business going

  Not blase -- just sick of hearing "don't do it" "you'll get sued"
  "impossible" "what's wrong with you"

  I want to secure this information, responsibly.  How? (You answer this

> Security by obscurity is a myth.

  I believe you -- and if obscurity is a myth, let's document how it can be
  done safely for all the world to see and learn!

> *DO NOT* store any credit card numbers on any publically accessible
> system. Ever. Period.

  Sometimes when questions are asked a background of the knowledge of the
  poster is not given.  I would never do that.  A server that is connected
  to the internet directly storing credit cards is asking for a lawsuit.
  It's got a sign with "please hack me" on it.

> OK now to the candy : I've had this book a while, and it's one of the most

> insightful and well researched (from experience) books on security I've
> read. In fact - so good I'm going to go to the trouble to retype an
> of a section called "One-Way Credit Card Data Path for Top Security"
> (Bob Toxen) have come up with the concept of a one-way credit card data

  Now THAT is exactly what I was looking for -- THANKS!  I'll go get the

> (snipped section about spot welded steel pipes encasing LAN cable !)

  *laugh* That might be a bit of overkill... but I get the idea.

> The CC server then contacts the processing bank through the private
> to charge the amt, store the authorisastion number if successful and
> either "Success" or an appropriate error message

  Obviously most CC auths are via the 'net + SSL, private networks don't
  apply (and they are kind of cost prohibitive).  If you have a
  router/firewall/ipfw between your CC and the 'net, blocking incoming but
  allowing outgoing to your cc auth host ip(s), is that good enough?  What
  else can be done?

> As Bob's book is so bloody good, here's the ASIN for it in case you want
> to read all 650 pages of good advice ;-)

  Thank you Neil -- sold!

Peter Beckman                                                  Internet Guy
[EMAIL PROTECTED]                             http://www.purplecow.com/


PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to