On Sun, May 30, 2010 at 03:30:28PM -0400, Phpster wrote:


> I work with some of the largest retailers in north America if not the
> world, and I can confirm that the security measures taken to enforce
> pci compliance are not something lightly undertaken.
> If those entities choose to store the cc#s then they do the following:
> 1. Store the encrypted values on servers that are NOT web facing

Absolutely! If I were trying to do this on a web server, I *would* use a
payment gateway. There's no way I could secure it adequately otherwise.

> 2. Use ridiculously long encryption keys ( well into the 1000s of
> characters)
> 3. They also create a representative value that exists outside the
> system that has to allow some basis of data mining.
> Really as mentioned you don't want to do this. Especially if you have
> no control over the servers.

I have complete control over the server this information is stored on,
including physical control. It is behind a NATed firewall and only
accessible to certain machines on my internal network. The only
personnel with access to the server are myself and my wife.

To be clear, we process credit cards MOTO, meaning we have no physical
access to the cards themselves. We use a small terminal which dials up
our payment processor to get approvals. The problem is that virtually
all of our credit card business is with the same customers and
recurring. So it's not feasible to call them every month or several
times per job to ask for a credit card number. This would aggravate my
customers. So I have to store the information one way or another, on 3x5
cards, in the computer or some way.

And it appears from all the replies that there is no other way to do it
than to have a separate key or password for accessing just these credit
card numbers, and every time they must be accessed, the user must
provide this key, which would be in addition to the usual password for
that user.


Paul M. Foster

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to