Results 1 to 11 of 11
Thread: modernbill and cc encryption
-
04-02-2004, 04:04 AM #1Junior Guru
- Join Date
- Apr 2003
- Location
- Los Angeles, CA
- Posts
- 245
modernbill and cc encryption
Hello everyone,
Do any of you use modernbill and store the credit cards on the server?
Question 1: Do you think even a server being totally secure, is fairly safe to store encrypted credit cards?
Question 2: are you ever worried someone might break in and figure out way to decrypt it?
Question 3: what do you think is the minimum character amount someone should have as their encrypted code?
I would love to hear people's inputs.
-
04-02-2004, 04:22 AM #2Web Hosting Master
- Join Date
- Nov 2003
- Location
- Chicago, IL
- Posts
- 1,718
MB recommends that one not store CC#'s.
If you do, be sure to encrypt using secure password. That is all I can say.
-
05-01-2004, 10:22 PM #3Newbie
- Join Date
- May 2004
- Posts
- 8
My webhosting company uses modernbill to encrypt the credit cards. We suggest an encryption key of about 8 characters atleast. We have had no problems with doing it this way and find it to be a very nice way to handle things.
-
05-01-2004, 10:51 PM #4Temporarily Suspended
- Join Date
- Nov 2003
- Location
- Ohio
- Posts
- 504
Credit Cards should not be stored on the server. This is what I would do:
Have it encrypt it with a 12 character encryption key upon sign-up.
As soon as you notice of the new signup, CC#, etc. - take the information down to your local machine, and delete off of the database.
Do not store it physically unless you have a lock box, safe, etc. I keep my passwords in a zipped .txt that is password protected.
-
05-02-2004, 11:08 AM #5Build It Better!
- Join Date
- Dec 2002
- Posts
- 5,448
Regardless of the well meaning advice being given here, there are extremely rigid requirements concerning the storing of credit card information. Please review Visa's CISP policy ( Cardholder Information Security Program). If these requirements are not met you could be liable for any and all credit card fraud that may occur with any of the cards you store.
Hardly worth the hardware required, or the investment it would take to maintain conformance with CISP regulations...
-
05-04-2004, 11:54 PM #6Web Hosting Master
- Join Date
- Dec 2002
- Posts
- 1,304
The CISP Requirements
An easy to remember list of 12 basic security requirements with which all Visa payment system constituents need to comply
-Install and maintain a working firewall to protect data
-Keep security patches up-to-date
-Protect stored data
-Encrypt data sent across public networks
-Use and regularly update anti-virus software
-Restrict access by "need to know"
-Assign unique ID to each person with computer access
-Don't use vendor-supplied defaults for passwords and security parameters
-Track all access to data by unique ID
-Regularly test security systems and processes
-Implement and maintain an information security policy
-Restrict physical access to data
If these requirements are not met you could be liable for any and all credit card fraud that may occur with any of the cards you store.
Question 1: Do you think even a server being totally secure, is fairly safe to store encrypted credit cards?
Question 2: are you ever worried someone might break in and figure out way to decrypt it?
I would argue that even IF someone obtained root, they should NOT be able to decrypt the sensitive information. I believe that with proper application of PKI security this is entirely possible.
Question 3: what do you think is the minimum character amount someone should have as their encrypted code?
http://www.eco.utexas.edu/faculty/No.../SSim/key.html
An interesting excerpt:
RSA recommends that 512-bit keys do not currently provide sufficient security, and should be discontinued in favor of 768-bit keys for personal use, 1024 bits for corporate use, and 2048 bits for extremely valuable keys like the key pair of a certifying authority
As soon as you notice of the new signup, CC#, etc. - take the information down to your local machine, and delete off of the database.
Presumably then, you are storing the info elsewhere. On paper? On your windows box at home? Either of those choices are CONSIDERABLY worse than properly encrypted in a database online.
I keep my passwords in a zipped .txt that is password protected
My webhosting company uses modernbill to encrypt the credit cards
.MB recommends that one not store CC#'s.
Recurring billing is done via Cron. How would the server decrypt the credit card numbers? You guessed it - the key is KEPT ON THE SERVER.
Might as well store your numbers in plain text - a hacker with any level of aptitude will simply find the key and extract the data. It fails my proposal that even if root is compromised the date must be kept safe.Last edited by innova; 05-04-2004 at 11:57 PM.
"The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"
-
06-03-2005, 02:11 AM #7Disabled
- Join Date
- Jun 2005
- Posts
- 3,455
Well i agree with you innova
No sensitive data should be open for public, the data should be offline, you are wrong about that, offline data is at least 99% safer, people should not have data on servers not even that are lan connected, but offline data is still the safest place.
1. Dont just store you data on a local pc, local pc could have internet access or lan access or even person access.
Store it on a CD or DVD or ZIP or external harddisk.
On the CD or where ever its stored encrypt the Data, not with ZIP of course, its very easy to crack zip files, encrypt it with tools for heavy use like PGP, use the International version not the US version, ¿why?
The US version has a limited encoding files because the Goverment cannot even crack so easy if you use the full encription mode. So use the International one, i think its even illegal to use the International one if you live in the US.
2. Dont leave the cd near the pc, store it on a lock if you want to be safe, and the Unlocking code should be a on PC that also doesnt have lan or internet connection. Use a Fingerprint device, so only the person allowed can access the PC. The device are not expensive they cost like 60$.
So now we have 2 possible escenarios for cracking the data.
1. You must be a very good hacker.
2. You must be a very good deaf.
Even if you get the CD with the data, after breaking inside the Office and cracking the alarm, and even open the safe box, you must be a very good hacker to crack the info. Most crackers are just crackers not people that will actually put a gun in your head, so you would need 2 persons to actually get the data. Of course nothing its 100% safe in life but i can assure you not even yahoo makes so restrictions. Also You could even have one cd with the data, and the other one with key to decrypt the data. So yes all this is more safer that encrypt on your server. Of course its not practical if you have to use the data all time, but that is another story. The more safer the more hard it is and anti commercial to use the data, since you cannot use it when ever you want.
As for modernbill just a question, if you actually dont store the cards on the server how will Modernbill process recurring payments???
Its safe but if it cant process recurring payment you actually bought an automation software wich you cant use since its not automatic.
-
06-03-2005, 07:46 AM #8The E-Commerce Answer Guy
- Join Date
- Aug 2003
- Location
- Chesapeake, VA
- Posts
- 3,381
It is a very valid point about ModernBill storing the key on the server - if the server is compromised, it would likely be one of the first things that the hacker targets.
In addition, keep in mind that with most data centers - your servers are openly accessible to any one in the data center without any kind of ID-tracking or logging unless you have your own private cage or space in a data center.
One of the CISP requirements addresses the physical security and accessibility of all servers used so this is definitely something to keep in mind... all of the best security on a box can be easily rendered useless to someone with physical console access.CDGcommerce.com - Trusted Merchant Account Solutions since 1998
Many thousands of successful, growing businesses benefit from our expertise every day. You can, too!
We help merchants to eliminate gateway costs, reduce & mitigate fraud and achieve streamlined PCI compliance.
Learn more today at http://www.cdgcommerce.com - we look forward to helping your business grow!
-
06-04-2005, 02:34 PM #9Web Hosting Master
- Join Date
- Oct 2000
- Location
- Toronto
- Posts
- 1,110
Pardon me for being completely ignorant, but how does recurring billing with modernauthorize work?
Where is the credit card info stored to perform the recurring transactions?
-
06-04-2005, 04:03 PM #10Disabled
- Join Date
- Jun 2005
- Posts
- 3,455
Well that is a good question, if the card is not stored i think, im not sure, modernbill cant do recurring billing,
As for 3 parties like 2checkout they said they would support recurring billing on the next release estimaded August, but i think the card would be have to be stored if not how would this work, i dont have modernbill, i had it sometime ago, so if someone can explain please.
-
06-05-2005, 01:26 AM #11The E-Commerce Answer Guy
- Join Date
- Aug 2003
- Location
- Chesapeake, VA
- Posts
- 3,381
The ModernBill software stores the credit card data on the merchant's server. It is encrypted, of course, but it is still present there on the server.
If the user has billing setup as an automated cron, it is also necessary to have the key present on the server as well unless something has changed recently.CDGcommerce.com - Trusted Merchant Account Solutions since 1998
Many thousands of successful, growing businesses benefit from our expertise every day. You can, too!
We help merchants to eliminate gateway costs, reduce & mitigate fraud and achieve streamlined PCI compliance.
Learn more today at http://www.cdgcommerce.com - we look forward to helping your business grow!