[thelist] how secure to store credit cards

Mon Jan 7 00:50:31 CST 2002

erik,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Erik Mattheis
>
> Looking on input on what security measures should be
> taken before I'd want to store credit card numbers in
> a DB on a webserver.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

ooh, fun topic.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> Ideally, the best solution would be the client getting a
> list of orders and keying in the transaction on the grey
> box they already have.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

actually, depending on their deal with their card services provider, they
may not be able to do this without violating the terms of the contract
and/or breaking the law.

http://evolt.org/article/Credit_Card_E_Primer/18/12694/

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> What are thoughts on encrypting the card numbers with
> CF's Encrypt() and accessing them through SSL where the
> key has to be given ... they key would have to be
> stored somewhere on the webserver of course ... which
> bothers me ... ideas?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

there are many ways of attempting to secure the key, however, none keep the
key from being found out by someone with access to the source code --
however they have access.  consider though that if they have access to the
encrypted credit card numbers from the database, they probably also have
access to the source code.  so, encrypting them isn't really that much of a
protection.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> Is there a service where the entire transaction could
> appear to the visitor to occur on the server, but the
> credit card is not billed until later (ie, the order is
> shipped)? The way the store looks is really important,
> so something like Payflow Link isn't an option - have
> to have complete control over all the HTML.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

we use cybercash for our clients and have been very happy with the results.
there's a very nice cfx tag available for interfacing with them.  we can
process real-time or at scheduled intervals.  we can process the
transactions from any internet connected machine.  it doesn't even have to
be the webserver.  but, that begs the question, what do you do with the
credit card numbers until you process them?  which also begs the question,
why do you need to store the credit card numbers to begin with?

that aside, one of the better solutions is to store them on a machine that's
not accessible to the internet.  store them only for a very short, defined
period of time.  in this time period, process the transactions through your
selected payment gateway.  perform a manual export, via administrative tools
behind an ssl connection of processed (regardless of the results from the
payment gateway) orders and credit card numbers.  update all exported
records setting the credit card number to null.  pgp encrypt the file of
exported records with a pass phrase provided by the user of the
administration.  this user then physically takes the files to the
non-internet-connected machine where the process is reversed -- upload
encrypted file, decrypt using pass phrase provided by the user, import into
the database for permanent (?) storage.

oh, and one final thing, *never* send the credit card numbers back down the
pipe to the user of the administration as there's no guarantee that the
browser won't cache the page, the user won't login at a public terminal,
etc.  this way, the only way the user can access the credit card numbers is
via the non-internet-connected destination machine.  this gives the user
some motivation to be timely with their logins and exports of the data.

if someone were to break-in to the system, the most they'd get would be the
credit card numbers since the last export and nothing more.  *if* it makes
you feel safer, you could even encrypt these numbers to slow them down.

good luck,

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/