Real quickly, yes a credit card number can be used without any other information; your plan of dislocating cc information would be minor to overcome to a hacker.
My suggestion: Upgrade to Witango 5 (R:Witango 5) and use the new @CIPHER commands to encrypt your credit card number with TripleDES. Build the decipher command into a TCF call and save that TCF as run-only. These two simple steps will ensure that it'll be several years before a hacker could get a cc number from your system. Keep the key safe!!! Robert Shubert Tronics PS. Alternatively, you can use TripleDES or Blowfish though a command-line, COM or bean. -----Original Message----- From: Fogelson, Steve [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 12:09 PM To: Witango User Group (E-mail) Subject: Witango-Talk: Security idea Win2K server, R:Tango 2000, R:Base 6.5 I came up with an idea to hopefully secure personal information better than I have now and I am looking for comments about it. I know a lot of you refuse to store credit card info, but I need to for some applications. This could also apply to storing other personal info like social security number, drivers license, medical records, etc. Presently I have an order table in my database that stores credit card numbers. In this table I have a field called order number that is based on the following code: <@ASSIGN user$OrderNumber "<@currentdate format=datetime:%Y%m%d><@tstosecs <@currenttimestamp>>"> What I am thinking about doing is pulling the credit card number, month, and year out of the order table and creating a totally separate database with one table with five fields, ID, CC number, CC month, CC year. The fifth field would be based on the following: <@CIPHER ACTION=hash STR=<@var user$OrderNumber> ENCODING=none> When retrieving orders the appropriate credit card info would be found by this fifth field. I have never done it, but I believe that you can access 2 databases at the same time with one .taf or .tml My strategy is that if someone hacked into my server and found the catalog DB with the order table, they may assume I don't store CC info. If they happened to find the CC database, it would be very difficult for them to correlate the proper name and address to the correct credit card info. Could a credit card number be used without the proper name and address? The final level of security would be to encrypt each field of the CC database with Witango 5 or have Windows 2000 or 2003 encrypt the entire CC DB files. Would this work? Thanks for your comments Steve Fogelson Internet Commerce Solutions ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
