Nope, I still would not recommmend it. The only place the CC data should travel 
to is the payment gateway. Anything else is a security risk. Why does your 
client process by hand? They should be using a payment gateway. 
Subject: Re: [PHP-DB] Credit Card Encryption> Date: Wed, 19 Dec 2007 00:41:36 
-0700> > Ok I've done some research and some thinking. What about storing 
orders in > the database (product info and customer info) and then using GnuPG 
or PGP to > send the credit card info to the merchant? This way the credit card 
> information is not stored on the server or in the database but only in > 
printed format by the merchant. Since my client processes all of the credit > 
card orders by hand this seems like an ideal solution.> > What is more, the 
order and customer info do not need to be present in the > encrypted emails. 
That way the email does not contain a customer name, but > only an order id 
(which could even be a unique and hidden value stored via > AES in the mysql 
db).> > What are your thoughts?> > Keith> > ----- Original Message ----- > 
From: "Bastien Koert" <[EMAIL PROTECTED]>> To: "Keith Spiller" <[EMAIL 
PROTECTED]>; <>> Sent: Tuesday, December 18, 2007 9:41 PM> 
Subject: RE: [PHP-DB] Credit Card Encryption> > > > Think very carefully about 
what you want to do here. PCI (payment card > industry) has radically changed 
the rules about how CC data is stored in a > networked environment. If your 
data environment is shared (shared web > hosting), don't even think about it. 
There are a large number of rules that > you need to follow to make your data 
systems PCI compliant [ > ] and they are not 
easy to follow. Things > like strong encryption, code audits by qualified third 
parties etc.> > If you absolutely need to store the data (many of my large 
clients do this):> 1. the database server should not be web facing, nor 
accessible internally > by the web servers> 2. the access (physical and 
electronic) should be extremely limited> 3. the facility that holds the data 
should be hardened with limited > controlled access> 4. provide a cross 
reference number to the CC that other applications can > use to replace the CC 
number> > If you are storing transactional data, just store the confirmation 
number > that is returned by the payment gateway that you use. Let the payment 
> gateway assume the risks of handling the data, its what they get paid for. > 
If the data is for re-occurring payments, let the payment gateway handle it, > 
many support these kinds of payments.> > Bastien> > From: [EMAIL PROTECTED]> 
To:> CC: > > [EMAIL PROTECTED]> Date: Tue, 18 Dec 2007 
18:20:08 -0700> Subject: > > [PHP-DB] Credit Card Encryption> > Hi Everyone,> > 
I'm trying to determine > > the best method to store credit card numbers in a > 
mysql database. As yet > > I have been unable to determine whether I should use 
> MySQL AES, DES or a > > PHP encryption method. I would greatly appreciate any 
> advice you guys > > could offer.> > Thanks.> > Keith > > -- > PHP Database 
Mailing List > > (> To unsubscribe, visit: > >>> 
_________________________________________________________________> Discover new 
ways to stay in touch with Windows Live! Visit the City @ Live > today!> > 
Introducing the City @ Live! Take a tour!

Reply via email to