Re: Form Encryption
> Very good points across the board. > Technically, I do not need to store the credit card info in the db. > However I do need to securely send/pass/or make available the credit > card info to the receiving company. Maybe there is a better method to > do so. I've found that after a transaction is processed, my clients can do what they need to do (refunds etc) with just the last 4 digits. At least with authorize.net. We have no need for the full CC number anyway. Will ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280356 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Form Encryption
On Wednesday 06 Jun 2007, Russ wrote: > they happen, but there's really nothing you can do about that. Just try to > keep your server as secure as you can. Remember there are now binding requirements from Visa etc. over your security procedures, which you may now fall under: https://www.pcisecuritystandards.org/ -- Tom Chiverton Helping to carefully mesh eye-catching m-commerce on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280354 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Form Encryption
The way this is done is over some secure tunnel at the time of transaction. Verisign's (now Paypal's) tags do that, as well as most other companies I believe. Locally you should never store the credit card, only the transaction id from the cc company. If your server is compromised, they cannot get any old cc #'s, although they can probably sniff transactions as they happen, but there's really nothing you can do about that. Just try to keep your server as secure as you can. Russ > -Original Message- > From: Steve Kahn [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 06, 2007 1:27 PM > To: CF-Talk > Subject: RE: Form Encryption > > Very good points across the board. > Technically, I do not need to store the credit card info in the db. > However I do need to securely send/pass/or make available the credit card > info to the receiving company. Maybe there is a better method to do so. > > Steve > > -Original Message- > From: Matt Robertson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 06, 2007 12:53 PM > To: CF-Talk > Subject: Re: Form Encryption > > You can use asymmetric-key RSA encryption economically... > > http://developer.perthweb.com.au/textcrypt.html > > I've been using that tool for many years. its about as safe as you > can get for encrypting stored data. Key part of that phrase is "as > you can get". > > The problems with symmetric key encryption were already well-stated. > Don't even think of doing that. In theory a combination of SSL and a > 128-bit RSA encryption provide a commercial-strength solution, but I > would argue that its a horrible idea to store credit card info on a > server you are responsible for. Its such a gross violation of best or > even acceptable practices in the IT and financial industries that the > liability you will bear if the chain of custody on the private key is > compromised... the liability you will personally incur, as well as > what your client will incur... its not worth the risk. > > I would suggest that, if you are storing data encrypt ALL of it to > make the job more difficult. Do not name the fields with > hacker-usable names (like credit_card_number) Use symmetric key > encryption to encrypt first, then use asymmetric to encrypt that. > Access your db server via a 2nd nic and make that 2nd nic go to the > other server via internal IPs only. > > . and say your prayers regularly. > > -- > [EMAIL PROTECTED] > Janitor, The Robertson Team > mysecretbase.com > > > > ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280288 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Form Encryption
Very good points across the board. Technically, I do not need to store the credit card info in the db. However I do need to securely send/pass/or make available the credit card info to the receiving company. Maybe there is a better method to do so. Steve -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 12:53 PM To: CF-Talk Subject: Re: Form Encryption You can use asymmetric-key RSA encryption economically... http://developer.perthweb.com.au/textcrypt.html I've been using that tool for many years. its about as safe as you can get for encrypting stored data. Key part of that phrase is "as you can get". The problems with symmetric key encryption were already well-stated. Don't even think of doing that. In theory a combination of SSL and a 128-bit RSA encryption provide a commercial-strength solution, but I would argue that its a horrible idea to store credit card info on a server you are responsible for. Its such a gross violation of best or even acceptable practices in the IT and financial industries that the liability you will bear if the chain of custody on the private key is compromised... the liability you will personally incur, as well as what your client will incur... its not worth the risk. I would suggest that, if you are storing data encrypt ALL of it to make the job more difficult. Do not name the fields with hacker-usable names (like credit_card_number) Use symmetric key encryption to encrypt first, then use asymmetric to encrypt that. Access your db server via a 2nd nic and make that 2nd nic go to the other server via internal IPs only. . and say your prayers regularly. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280274 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Form Encryption
You can use asymmetric-key RSA encryption economically... http://developer.perthweb.com.au/textcrypt.html I've been using that tool for many years. its about as safe as you can get for encrypting stored data. Key part of that phrase is "as you can get". The problems with symmetric key encryption were already well-stated. Don't even think of doing that. In theory a combination of SSL and a 128-bit RSA encryption provide a commercial-strength solution, but I would argue that its a horrible idea to store credit card info on a server you are responsible for. Its such a gross violation of best or even acceptable practices in the IT and financial industries that the liability you will bear if the chain of custody on the private key is compromised... the liability you will personally incur, as well as what your client will incur... its not worth the risk. I would suggest that, if you are storing data encrypt ALL of it to make the job more difficult. Do not name the fields with hacker-usable names (like credit_card_number) Use symmetric key encryption to encrypt first, then use asymmetric to encrypt that. Access your db server via a 2nd nic and make that 2nd nic go to the other server via internal IPs only. and say your prayers regularly. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| ColdFusion 8 beta â Build next generation applications today. Free beta download on Labs http://www.adobe.com/cfusion/entitlement/index.cfm?e=labs_adobecf8_beta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280270 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Form Encryption
There is no real good encryption you can use. You can use a symmetric key encryption algorithm to encrypt the data before inserting it into sql, and then decrypt when recalling the data, but you will have to keep the encryption key in the code somewhere, or read it from some source. Either way, if the attacker gets access to the code, he will be able to decrypt all your data. I guess it provides protection sort of the way security through obscurity provides protection. Russ > -Original Message- > From: Steve Kahn [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 06, 2007 12:21 PM > To: CF-Talk > Subject: RE: Form Encryption > > Got the comodo ssl in place, want to encrypt the data when inserted into > sql and then decrypt it when calling it up > > -Original Message- > From: Adkins, Randy [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 06, 2007 12:13 PM > To: CF-Talk > Subject: RE: Form Encryption > > SSL is one piece of the pie you should have! > > -Original Message- > From: Steve Kahn [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 06, 2007 11:59 AM > To: CF-Talk > Subject: RE: Form Encryption > > protect credit card and personal info; > when the visitor submits form data at site and when the company employee > logs in to site to call up the data > > -Original Message- > From: Tom Chiverton [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 06, 2007 11:42 AM > To: CF-Talk > Subject: Re: Form Encryption > > On Wednesday 06 Jun 2007, Steve Kahn wrote: > > Does anyone have an easy to use 'Form Encryption' app they could > recommend? > > With the aim of doing what ? > And since you mention 'encryption' - against what sort of an attacker ? > > -- > Tom Chiverton > Helping to heterogeneously disintermediate total initiatives > on: http://thefalken.livejournal.com > > > > This email is sent for and on behalf of Halliwells LLP. > > Halliwells LLP is a limited liability partnership registered in England > and Wales under registered number OC307980 whose registered office > address is at St James's Court Brown Street Manchester M2 2JF. A list > of members is available for inspection at the registered office. Any > reference to a partner in relation to Halliwells LLP means a member of > Halliwells LLP. > Regulated by the Law Society. > > CONFIDENTIALITY > > This email is intended only for the use of the addressee named above and > may be confidential or legally privileged. If you are not the addressee > you must not read it and must not use any information contained in nor > copy it nor inform any person other than Halliwells LLP or the addressee > of its existence or contents. If you have received this email in error > please delete it and notify Halliwells LLP IT Department on 0870 365 > 8008. > > For more information about Halliwells LLP visit www.halliwells.com. > > > > > > > > > ~| Macromedia ColdFusion MX7 Upgrade to MX7 & experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280265 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Form Encryption
Got the comodo ssl in place, want to encrypt the data when inserted into sql and then decrypt it when calling it up -Original Message- From: Adkins, Randy [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 12:13 PM To: CF-Talk Subject: RE: Form Encryption SSL is one piece of the pie you should have! -Original Message- From: Steve Kahn [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 11:59 AM To: CF-Talk Subject: RE: Form Encryption protect credit card and personal info; when the visitor submits form data at site and when the company employee logs in to site to call up the data -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 11:42 AM To: CF-Talk Subject: Re: Form Encryption On Wednesday 06 Jun 2007, Steve Kahn wrote: > Does anyone have an easy to use 'Form Encryption' app they could recommend? With the aim of doing what ? And since you mention 'encryption' - against what sort of an attacker ? -- Tom Chiverton Helping to heterogeneously disintermediate total initiatives on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| ColdFusion 8 beta â Build next generation applications today. Free beta download on Labs http://www.adobe.com/cfusion/entitlement/index.cfm?e=labs_adobecf8_beta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280264 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Form Encryption
SSL is one piece of the pie you should have! -Original Message- From: Steve Kahn [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 11:59 AM To: CF-Talk Subject: RE: Form Encryption protect credit card and personal info; when the visitor submits form data at site and when the company employee logs in to site to call up the data -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 11:42 AM To: CF-Talk Subject: Re: Form Encryption On Wednesday 06 Jun 2007, Steve Kahn wrote: > Does anyone have an easy to use 'Form Encryption' app they could recommend? With the aim of doing what ? And since you mention 'encryption' - against what sort of an attacker ? -- Tom Chiverton Helping to heterogeneously disintermediate total initiatives on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| ColdFusion 8 beta â Build next generation applications today. Free beta download on Labs http://www.adobe.com/cfusion/entitlement/index.cfm?e=labs_adobecf8_beta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280263 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Form Encryption
protect credit card and personal info; when the visitor submits form data at site and when the company employee logs in to site to call up the data -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 11:42 AM To: CF-Talk Subject: Re: Form Encryption On Wednesday 06 Jun 2007, Steve Kahn wrote: > Does anyone have an easy to use 'Form Encryption' app they could recommend? With the aim of doing what ? And since you mention 'encryption' - against what sort of an attacker ? -- Tom Chiverton Helping to heterogeneously disintermediate total initiatives on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Macromedia ColdFusion MX7 Upgrade to MX7 & experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280261 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Form Encryption
On Wednesday 06 Jun 2007, Steve Kahn wrote: > Does anyone have an easy to use 'Form Encryption' app they could recommend? With the aim of doing what ? And since you mention 'encryption' - against what sort of an attacker ? -- Tom Chiverton Helping to heterogeneously disintermediate total initiatives on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280254 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4