On Sat, Feb 7, 2009 at 4:46 PM, Aristedes Maniatis <[email protected]> wrote: > Except that credit cards are not a good example here. Speak to your gateway > provider, but here in Australia they all let you run transactions against > the same credit card *without storing the card number/expiry date/cvv*. > Instead you store the previous transaction reference and you can use that to > process future card payments between that card and the same merchant. > Infinitely safer than storing card numbers.
So ... you'd want to encrypt the transaction reference and the gateway provider would want to encrypt the card number/etc. :-) I basically see encryption as being desirable anytime personally identifiable/critical financial information needs to be stored (bank, stock trading, commerce, etc) or personally identifiable health information (doctor's offices, hospitals, testing labs, etc). I'm sure there are others, but those are the big ones (to me). > Americans certainly are strange with their SSNs. You give them out at the > drop of a hat to buy popcorn, and then still use them as a 'secure' form of > identification. > > Ari The SSN is almost a joke. When I first moved to Virginia, the Department of Motor Vehicles put your SSN on your driver's license (as your driver's license number). I was stunned. I was even more stunned to find out they had a web site where you could go look up someone's DL # (their SSN). Very dumb. They've fixed that now. Somewhat. (You could also get your Virginia driver's license without proving you were a resident of the state -- which is what I did, too.) Anyway, I know the white paper needs more work. It was something I hacked together right about the time I left Fannie Mae (good timing). I wanted to get enough details down that I could remember what I was thinking at the time, but there are some inherent assumptions that I should flesh out sometime if it is useful to others. (Since it may not be obvious what I was thinking.)
