Ways to compromise the app server might be discovered, so I would encrypt in the database rather than the app (e.g. MySQL has an ENCRYPT function). Also, if debug was on, the confidential info might be visible.
>Win2K server, R:Tango 2000, R:Base 6.5 > >I came up with an idea to hopefully secure personal information better than >I have now and I am looking for comments about it. I know a lot of you >refuse to store credit card info, but I need to for some applications. This >could also apply to storing other personal info like social security number, >drivers license, medical records, etc. > >Presently I have an order table in my database that stores credit card >numbers. In this table I have a field called order number that is based on >the following code: <@ASSIGN user$OrderNumber "<@currentdate >format=datetime:%Y%m%d><@tstosecs <@currenttimestamp>>"> > >What I am thinking about doing is pulling the credit card number, month, and >year out of the order table and creating a totally separate database with >one table with five fields, ID, CC number, CC month, CC year. The fifth >field would be based on the following: <@CIPHER ACTION=hash STR=<@var >user$OrderNumber> ENCODING=none> > >When retrieving orders the appropriate credit card info would be found by >this fifth field. I have never done it, but I believe that you can access 2 >databases at the same time with one .taf or .tml > >My strategy is that if someone hacked into my server and found the catalog >DB with the order table, they may assume I don't store CC info. If they >happened to find the CC database, it would be very difficult for them to >correlate the proper name and address to the correct credit card info. Could >a credit card number be used without the proper name and address? > >The final level of security would be to encrypt each field of the CC >database with Witango 5 or have Windows 2000 or 2003 encrypt the entire CC >DB files. Would this work? > >Thanks for your comments > >Steve Fogelson >Internet Commerce Solutions >________________________________________________________________________ >TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > Bill Conlon To the Point 345 California Avenue Suite 2 Palo Alto, CA 94306 office: 650.327.2175 fax: 650.329.8335 mobile: 650.906.9929 e-mail: mailto:[EMAIL PROTECTED] web: http://www.tothept.com ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
