[thelist] how secure to store credit cards

Keith cache at dowebs.com
Tue Jan 8 11:57:56 CST 2002


Hey thanks jeff for the details on Cold Fusion's Encrypt function!

> coldfusion's Encrypt() function takes a string and a key.  it uses the
> key to encrypt the string -- 

I'm assuming that the same key is needed to unencrypt the string. If 
so then Erik's earlier worries would be valid, keeping the key on the 
server would make the attempt quite bogus. Unless.... unless you 
don't keep the key on the server.

Would this work as a poorman's method (considering the $400 
price tag for integrating PGP with CF)? Instead of keeping one key 
for all transactions, generate a unique key for each transaction and 
email the key and transaction number pair to the merchant during 
the process. A bandit would have to snag each email (or break into 
the email server) plus break into the e-commerce server to have an 
open door. 

I've seen a variation of a two-way hash one-key encryption done in 
perl. That installation used only one key for all transactions but the 
key did not exist on the server in hard form, it was kept in memory 
using mod_perl. (once a routine has been put into mod_perl 
memory you can remove the physical script and still run it, until you 
reboot). Question, does CF have any comparable capability for 
placing a value or routine in memory for persistent use?

> it's alittle spendy ($400), but the expense is worth it for the peace
> of mind it'll give you.

Wow, that is a bit expensive, considering that all the PGP tools are 
free and take less than an hour to have running with Perl.

keith




More information about the thelist mailing list