On Wednesday 13 June 2007 01:35am, Brandon Stout wrote: > Orson Jones wrote: > > https is perfectly fine. The thing that worries, is what happens after it > > hits the server. (is it stored in an unencrypted format, is it stored > > longer than necessary, is it transmitted elsewhere securely? etc.) > > > > Orson > > I agree. However, if encrypted properly in the database, is there a > "longer than necessary"? Once on their server, perhaps it's less secure > to have to request the card number again than to keep the number > encrypted on the server.
Remember, there is no such thing as being secure. It's all just trade-offs and risk management. So, for each application, one has to decide if the trade-offs are better one way or the other. It might well be better for one application to keep the encrypted card numbers in the DB but not worth it for another to have to deal with those encryption keys. -- Lamont Peterson <[EMAIL PROTECTED]> Founder [ http://blog.OpenBrainstem.net/peregrine/ ] GPG Key fingerprint: 0E35 93C5 4249 49F0 EC7B 4DDD BE46 4732 6460 CCB5 ___ ____ _ _ / _ \ _ __ ___ _ __ | __ ) _ __ __ _(_)_ __ ___| |_ ___ _ __ ___ | | | | '_ \ / _ \ '_ \| _ \| '__/ _` | | '_ \/ __| __/ _ \ '_ ` _ \ | |_| | |_) | __/ | | | |_) | | | (_| | | | | \__ \ || __/ | | | | | \___/| .__/ \___|_| |_|____/|_| \__,_|_|_| |_|___/\__\___|_| |_| |_| |_| Intelligent Open Source Software Engineering [ http://www.OpenBrainstem.net/ ]
_______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
