[thelist] how secure to store credit cards
Keith
cache at dowebs.com
Mon Jan 7 17:59:34 CST 2002
Erik
> >http://evolt.org/article/Credit_Card_E_Primer/18/12694/
> From reading that article, it seems like you can pretty much do
> whatever you want and hope nothing bad comes of it ... that just
> astounds me!
Perhaps you need to re-read the article. I think it says just the
opposite. If you institute a method that exposes the cardholder to
theft you are personally liable and penalties are extreme. However,
VISA's guidelines March 2001 leave a great deal of latitude in how
you set up your own security. If we all used the same concept we
would have told the bandits what not to work on and made
ourselves equally vulnerable when they crack the one shared
concept. As in all things, there is strength in diversity.
> This is going to be for orders of products that need to be shipped,
> and to my understanding it's illegal to charge a card for a
>purchase before the order has shipped.
All web credit card transactions have two stages, the first stage
authorizes the amount, removing it from the card's availability, the
second stage actually charges the card. The first stage reserves
the amount for 30 days pending shipment. The second stage
cannot be done until the product has been shipped. Most accounts
require at least 24 hours between the two stages. It's not obvious
but even over-the-counter transactions use both stages, in an OTC
transaction the second stage is called "batching" and is done once
a day, either automatically or by request.
> So my task is to find a way to keep the card number until the
> order has shipped. --
Do not do that. Your real task sould be to find a way to keep the
card number only until the number has been removed from the
server and stored offline. Since you indicate that you will be
authorizing and charging the card with offline processes you have
no reason to leave it on the server, get that info off the web server
ASAP, not after shipment. Nothing else you can do will make your
setup more secure than doing this.
>What are thoughts on encrypting the card numbers with CF's
>Encrypt() and accessing them through SSL where the key has to
>be given ... they key would have to be stored somewhere on the
>webserver of course ... which bothers me ... ideas?
I'm not familiar with CF's Encrypt(). But there are two kinds of
encryption. The crypt function encrypts a string in a one-way non-
reversible hash. That data cannot be unencrypted. This method is
used to store passwords. Once the encrypted value of the
password is stored a user submits their password, which is
encrypted and compared against the stored encrypted value, if they
match then the password submitted was correct. That obviously will
not work for storing your credit card info since you need to
unencrypt it.
You therefore need to use public-private key encryption. The public
key is stored on the server. It encrypts the string but it cannot
unencrypt the string. Only the paired private key can unencrypt the
string and it is not stored on the server. When you go to get the
orders off the server you submit the private key so the server can
unencrypt the string and return it to the browser. At no time are the
unencrypted string or the private key written to the server, they just
exist in memory and the entire sequence is done within an SSL
session. PGP is the most commonly used public-private key
program for this sort of thing. Cold Fusion may have a built-in PGP
module available to Encrypt, the way you describe Encrypt the
private key would not be stored on the server, just the public key.
On the other hand I suspect that Encrypt just does a one-way hash
like for password storage.
>Is there a service where the entire transaction could appear to the
>visitor to occur on the server
No, that's a violation of ethics and legal code. The cardholder has a
right to know what domain their information is being submitted to.
Any attempt to mask that destination is fraud and a violation of any
merchant account issued after March 2001. For example: if you use
a page from your server containing a form submitting to a different
server the browser will warn the user that their submission is being
redirected, unless the user disables that feature in their security
options. Many services allow customization of their submission
pages so the look and feel of your site is expressed on their page.
But only a fool would allow you "have to have complete control over
all the HTML." on a page on their server if they are conducting
transactions. The only way you are going to have complete control
is to take complete responsibility: SSL enable your own server,
store the data on your server, etc.
Here's something else to think about, does your customer know
and trust your client, know and trust your security? Of course not.
Instead of seeing a third party web page as a problem try looking at
it as a feature. Make it clear to the consumer that their transaction
is being done on a different server, a server run by security experts.
The best setup I've seen for that is Bank Of America. It's obvious to
the consumer that their information is being submitted to, and
stored by, a major bank, that their information is being handled just
as securely as it would be if they were at the teller window in the
bank. I've seen websale increase 30% simply by converting to this
kind of a submission. Web consumers feel more confident, and you
can sleep better at night. Just a thought.....
keith
BTW, if you sell to Europeans, the cardholder's billing address, the
item purchased, and the amount of the purchase need to be
protected just as much as the credit card number. They justly have a
very strict attitude about privacy in the lands of the Euro.
More information about the thelist
mailing list