Does anyone know of a product or technique to encrypt credit card numbers stored on a database. I am launching an e-commerce site and concerned about the hacking of databases. I want to be able to encrypt cutomers credit card numbers stored on my database. Any thoughts.

Thanks.

The most simple solution, don't.

If you feel you HAVE to have numbers, md5 will work for a simple, quick but somewhat deceent encrypt. Of course (in theory) once the data is crypted it doesn't come back so you cant view it.

basically, if all of your security is done right encrypting will give you strings you can't view or use. the only thing they'd be good for is comparing a number against them but you couldnt use them for rebilling or anything like that.

if you want to store credit card numebrs, find a merchant that does it for you

Originally posted by TedS
The most simple solution, don't.

If you feel you HAVE to have numbers, md5 will work for a simple, quick but somewhat deceent encrypt. Of course (in theory) once the data is crypted it doesn't come back so you cant view it.[clip]
An MD5 HASH is not how you would encrypt and store credit card numbers, since it's one-way and cannot be reversed.

If you want your customers to be able to store their credit card information in a profile so that you can use it later, you will need to use a syncronous encryption method like Blowfish, and protect the key.

Most shared hosting environments do not provide a safe way to protect this data so end up being vulnerable to credit card theft.

If you are on a dedicated server, protection is easier, and I would suggest you NOT do this without having an expert application designer working with you to provide as close to iron-clad protection as you can get.

Here's a good place to start learning about encryption options: http://www.canis.uiuc.edu/~bgross/crypto.html

-t

We have a free PHP function library that includes the ability to encrypt data and store it in a MySQL database. It also can later be decrypted. The script library also includes the ability to charge CCs at authorize.net and verisign Payflow Pro.

You can find the script lib at:

http://vansam.com/code.html
(under Credit Card Function Library)

We are using the mcrypt library for encryption, so you need to have that compiled into PHP in order to use the script.

Note: I would caution against storing credit cards in a database, encrypted or not, unless you really know what you are doing.

Vansam Software
www.vansam.com

I can store 'em for you )))

pavlov,

LOL! :D

Originally posted by Pavlov
I can store 'em for you )))

An offer nobody can refuse.
:stickout :rolleyes:

Hi!
Actually php has a set of encryption/decryption scripts.
You can simply use them to store it into the mysql database.
However, as everybody, my suggestion too would be to use a merchant system where the credit card is stored with them..

Have a great day :)

regards
amar

Originally posted by bobcares
Hi!
Actually php has a set of encryption/decryption scripts.
You can simply use them to store it into the mysql database.


Amar,

I read your posts everyday. Usually you are right on with what you offer for help. This is the first time where I think you are totally wrong.

To everyone else,

PHP has _NO_ secure crypt functions because using the only semi decent mcrypt_encrypt() function still requires you to have a key live on the server which is futile. There is no secure way to store credit card numbers on a server. The only way to keep a credit-card number is to dump on a private // out-of-band server that has been totally tightened down and has extremely limited access.

greetz,
davidu