Thanks for the information, especially the PCI Complancy link and info.

  ----- Original Message ----- 
  From: Bastien Koert 
  To: Keith Spiller ; 
  Sent: Tuesday, December 18, 2007 9:41 PM
  Subject: RE: [PHP-DB] Credit Card Encryption

  Think very carefully about what you want to do here. PCI (payment card 
industry) has radically changed the rules about how CC data is stored in a 
networked environment. If your data environment is shared (shared web hosting), 
don't even think about it. There are a large number of rules that you need to 
follow to make your data systems PCI compliant [ ] and they are not easy to follow. Things 
like strong encryption, code audits by qualified third parties etc.
  If you absolutely need to store the data (many of my large clients do this):
  1. the database server should not be web facing, nor accessible internally by 
the web servers
  2. the access (physical and electronic) should be extremely limited
  3. the facility that holds the data should be hardened with limited 
controlled access
  4. provide a cross reference number to the CC that other applications can use 
to replace the CC number
  If you are storing transactional data, just store the confirmation number 
that is returned by the payment gateway that you use. Let the payment gateway 
assume the risks of handling the data, its what they get paid for. If the data 
is for re-occurring payments, let the payment gateway handle it, many support 
these kinds of payments.

  > To:
  > Date: Tue, 18 Dec 2007 18:20:08 -0700
  > Subject: [PHP-DB] Credit Card Encryption
  > Hi Everyone,
  > I'm trying to determine the best method to store credit card numbers in a 
  > mysql database. As yet I have been unable to determine whether I should use 
  > MySQL AES, DES or a PHP encryption method. I would greatly appreciate any 
  > advice you guys could offer.
  > Thanks.
  > Keith 
  > -- 
  > PHP Database Mailing List (
  > To unsubscribe, visit:

  Books, DVD's, gadgets, music and more. Shop online with Sympatico / MSN 
Shopping today! 

Reply via email to