Results 1 to 11 of 11
  1. #1
    Join Date
    Apr 2003
    Location
    Los Angeles, CA
    Posts
    245

    modernbill and cc encryption

    Hello everyone,

    Do any of you use modernbill and store the credit cards on the server?

    Question 1: Do you think even a server being totally secure, is fairly safe to store encrypted credit cards?

    Question 2: are you ever worried someone might break in and figure out way to decrypt it?

    Question 3: what do you think is the minimum character amount someone should have as their encrypted code?

    I would love to hear people's inputs.

  2. #2
    Join Date
    Nov 2003
    Location
    Chicago, IL
    Posts
    1,718
    MB recommends that one not store CC#'s.

    If you do, be sure to encrypt using secure password. That is all I can say.
    Sid Shroff
    Senior Enterprise Web Administrator
    IIS, .NET, MS SQL
    SidShroff.com

  3. #3
    My webhosting company uses modernbill to encrypt the credit cards. We suggest an encryption key of about 8 characters atleast. We have had no problems with doing it this way and find it to be a very nice way to handle things.

  4. #4
    Join Date
    Nov 2003
    Location
    Ohio
    Posts
    504
    Credit Cards should not be stored on the server. This is what I would do:

    Have it encrypt it with a 12 character encryption key upon sign-up.

    As soon as you notice of the new signup, CC#, etc. - take the information down to your local machine, and delete off of the database.

    Do not store it physically unless you have a lock box, safe, etc. I keep my passwords in a zipped .txt that is password protected.

  5. #5
    Regardless of the well meaning advice being given here, there are extremely rigid requirements concerning the storing of credit card information. Please review Visa's CISP policy ( Cardholder Information Security Program). If these requirements are not met you could be liable for any and all credit card fraud that may occur with any of the cards you store.

    Hardly worth the hardware required, or the investment it would take to maintain conformance with CISP regulations...

  6. #6
    The CISP Requirements

    An easy to remember list of 12 basic security requirements with which all Visa payment system constituents need to comply

    -Install and maintain a working firewall to protect data
    -Keep security patches up-to-date
    -Protect stored data
    -Encrypt data sent across public networks
    -Use and regularly update anti-virus software
    -Restrict access by "need to know"
    -Assign unique ID to each person with computer access
    -Don't use vendor-supplied defaults for passwords and security parameters
    -Track all access to data by unique ID
    -Regularly test security systems and processes
    -Implement and maintain an information security policy
    -Restrict physical access to data
    Dont you do all this already? I think its not that difficult to do.

    If these requirements are not met you could be liable for any and all credit card fraud that may occur with any of the cards you store.
    Arent you liable even if you follow these guidelines? These guidelines should be considered OBVIOUS and bare minimum to get by.


    Question 1: Do you think even a server being totally secure, is fairly safe to store encrypted credit cards?
    Rule #1: A internet-connected server cannot be made totally secure. You have to assume that someone can and MIGHT be able to root-compromise the server, no matter how unlikely it may seem.

    Question 2: are you ever worried someone might break in and figure out way to decrypt it?
    See rule#1

    I would argue that even IF someone obtained root, they should NOT be able to decrypt the sensitive information. I believe that with proper application of PKI security this is entirely possible.

    Question 3: what do you think is the minimum character amount someone should have as their encrypted code?
    2048 bit would work ok. Read this:

    http://www.eco.utexas.edu/faculty/No.../SSim/key.html

    An interesting excerpt:
    RSA recommends that 512-bit keys do not currently provide sufficient security, and should be discontinued in favor of 768-bit keys for personal use, 1024 bits for corporate use, and 2048 bits for extremely valuable keys like the key pair of a certifying authority
    I would think that if 2048 bit is enough for Verisign it should be enough for you to store your credit cards with.

    As soon as you notice of the new signup, CC#, etc. - take the information down to your local machine, and delete off of the database.
    Good idea in thought. What about in practice?

    Presumably then, you are storing the info elsewhere. On paper? On your windows box at home? Either of those choices are CONSIDERABLY worse than properly encrypted in a database online.

    I keep my passwords in a zipped .txt that is password protected
    Email me your .zip file and I will email you back your passwords in plaintext.

    My webhosting company uses modernbill to encrypt the credit cards
    MB does not store credit cards safely in a recurring-billing scenario at least as of the last time I reviewed the software for purchase.

    .
    MB recommends that one not store CC#'s.
    Here is why:

    Recurring billing is done via Cron. How would the server decrypt the credit card numbers? You guessed it - the key is KEPT ON THE SERVER.

    Might as well store your numbers in plain text - a hacker with any level of aptitude will simply find the key and extract the data. It fails my proposal that even if root is compromised the date must be kept safe.
    Last edited by innova; 05-04-2004 at 11:57 PM.
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

  7. #7
    Join Date
    Jun 2005
    Posts
    3,455
    Well i agree with you innova
    No sensitive data should be open for public, the data should be offline, you are wrong about that, offline data is at least 99% safer, people should not have data on servers not even that are lan connected, but offline data is still the safest place.
    1. Dont just store you data on a local pc, local pc could have internet access or lan access or even person access.
    Store it on a CD or DVD or ZIP or external harddisk.
    On the CD or where ever its stored encrypt the Data, not with ZIP of course, its very easy to crack zip files, encrypt it with tools for heavy use like PGP, use the International version not the US version, ¿why?
    The US version has a limited encoding files because the Goverment cannot even crack so easy if you use the full encription mode. So use the International one, i think its even illegal to use the International one if you live in the US.

    2. Dont leave the cd near the pc, store it on a lock if you want to be safe, and the Unlocking code should be a on PC that also doesnt have lan or internet connection. Use a Fingerprint device, so only the person allowed can access the PC. The device are not expensive they cost like 60$.

    So now we have 2 possible escenarios for cracking the data.
    1. You must be a very good hacker.
    2. You must be a very good deaf.

    Even if you get the CD with the data, after breaking inside the Office and cracking the alarm, and even open the safe box, you must be a very good hacker to crack the info. Most crackers are just crackers not people that will actually put a gun in your head, so you would need 2 persons to actually get the data. Of course nothing its 100% safe in life but i can assure you not even yahoo makes so restrictions. Also You could even have one cd with the data, and the other one with key to decrypt the data. So yes all this is more safer that encrypt on your server. Of course its not practical if you have to use the data all time, but that is another story. The more safer the more hard it is and anti commercial to use the data, since you cannot use it when ever you want.
    As for modernbill just a question, if you actually dont store the cards on the server how will Modernbill process recurring payments???
    Its safe but if it cant process recurring payment you actually bought an automation software wich you cant use since its not automatic.

  8. #8
    Join Date
    Aug 2003
    Location
    Chesapeake, VA
    Posts
    3,381
    It is a very valid point about ModernBill storing the key on the server - if the server is compromised, it would likely be one of the first things that the hacker targets.

    In addition, keep in mind that with most data centers - your servers are openly accessible to any one in the data center without any kind of ID-tracking or logging unless you have your own private cage or space in a data center.

    One of the CISP requirements addresses the physical security and accessibility of all servers used so this is definitely something to keep in mind... all of the best security on a box can be easily rendered useless to someone with physical console access.
    CDGcommerce.com - Trusted Merchant Account Solutions since 1998
    Many thousands of successful, growing businesses benefit from our expertise every day. You can, too!
    We help merchants to eliminate gateway costs, reduce & mitigate fraud and achieve streamlined PCI compliance.
    Learn more today at http://www.cdgcommerce.com - we look forward to helping your business grow!

  9. #9
    Join Date
    Oct 2000
    Location
    Toronto
    Posts
    1,110
    Pardon me for being completely ignorant, but how does recurring billing with modernauthorize work?

    Where is the credit card info stored to perform the recurring transactions?

  10. #10
    Join Date
    Jun 2005
    Posts
    3,455
    Well that is a good question, if the card is not stored i think, im not sure, modernbill cant do recurring billing,
    As for 3 parties like 2checkout they said they would support recurring billing on the next release estimaded August, but i think the card would be have to be stored if not how would this work, i dont have modernbill, i had it sometime ago, so if someone can explain please.

  11. #11
    Join Date
    Aug 2003
    Location
    Chesapeake, VA
    Posts
    3,381
    The ModernBill software stores the credit card data on the merchant's server. It is encrypted, of course, but it is still present there on the server.

    If the user has billing setup as an automated cron, it is also necessary to have the key present on the server as well unless something has changed recently.
    CDGcommerce.com - Trusted Merchant Account Solutions since 1998
    Many thousands of successful, growing businesses benefit from our expertise every day. You can, too!
    We help merchants to eliminate gateway costs, reduce & mitigate fraud and achieve streamlined PCI compliance.
    Learn more today at http://www.cdgcommerce.com - we look forward to helping your business grow!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •