[thelist] how secure to store credit cards

Mon Jan 7 04:11:58 CST 2002

Memo from Martin P Burns of PricewaterhouseCoopers

-------------------- Start of message text --------------------

Erik

You want to look at a public/private key system, like RSA, DES or Blowfish.

That way, all you need to store on the server is your public key, which
won't
decrypt the content. You download the data, and decrypt it with your
private
key which doesn't go anywhere except where it absolutely has to.

Normal practise is to have a 2 part transaction - at the point of purchase,
you reserve the funds on the cardholder's card, which means that they
can't spend the cash, but you don't actually get it. Then, when you ship,
you collect the funds you've reserved. If you can't ship, you release
the reservation.

Cheers
Martin

Please respond to thelist at lists.evolt.org

Sent by:  thelist-admin at lists.evolt.org

To:   thelist at lists.evolt.org
cc:

Subject:  [thelist] how secure to store credit cards

Looking on input on what security measures should be taken before I'd
want to store credit card numbers in a DB on a webserver.

Ideally, the best solution would be the client getting a list of
orders and keying in the transaction on the grey box they already
have. What are thoughts on encrypting the card numbers with CF's
Encrypt() and accessing them through SSL where the key has to be
given ... they key would have to be stored somewhere on the webserver
of course ... which bothers me ... ideas?

Is there a service where the entire transaction could appear to the
visitor to occur on the server, but the credit card is not billed
until later (ie, the order is shipped)? The way the store looks is
really important, so something like Payflow Link isn't an option -
have to have complete control over all the HTML.

--------------------- End of message text --------------------

This e-mail is sent by the above named in their
individual, non-business capacity and is not on
behalf of PricewaterhouseCoopers.

PricewaterhouseCoopers may monitor outgoing and incoming
e-mails and other telecommunications on its e-mail and
telecommunications systems.
----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.