For an ecommerce site where sensitive data is stored either in files, or in a database, have you used some form of encryption to protect your customer's data?
I have a client who currently uses a Perl scripted shopping cart that stores orders (including credit card numbers) in plain text files on a shared server. The security of these files depends purely on the user/file system security measures enforced by the hosting company (which I think is a reasonably good company, but still I don't see it as being sufficiently secure). I am going to rewrite the shopping cart using PHP and was looking into ways to protect the data. Using GNU Privacy Guard (gpg) seemed like the ideal method because I could store the client's public key on the server to encrypt orders and the customer could then download the encrypted files and decrypt them on his PC with his private key (the client manually submits orders through his "store front" merchant account). I know this is a somewhat archaic procedure but it works sufficiently well for this client. However the hosting company won't support gpg so that leaves me with PHP mcrypt functions which I think would work very well, except for on thing - how to protect the secret key which now has to be on the server? Any ideas/suggestions/experience along that line? Thanks in advance, Lawrence Kennon __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
