Results 1 to 19 of 19
Thread: Proper way to store CC
Hybrid View
-
09-05-2002, 12:31 AM #1Web Hosting Master
- Join Date
- Jan 2002
- Location
- Atlanta, GA
- Posts
- 1,249
Proper way to store CC
I'm designing a web based order form for a company.
They don't want to take CC's directly online. They want to have the CC's stored in the DB and verify the orders then proccess them through their CC machine in store.
What would be the proper way to store them online?
What's a good cyrpto function to use that would be acceptable for this application?char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }main (){void (*f)() = x;f();}
I wear a gray hat
-
09-05-2002, 12:48 AM #2Web Hosting Master
- Join Date
- Jan 2001
- Posts
- 2,605
RSA, 1024 bits, sent to them via email and stored on the machine (in case the email gets lost).
If you're lazy, use GPG; otherwise, write your own implementation.Dr. Colin Percival, FreeBSD Security Officer
Online backups for the truly paranoid: http://www.tarsnap.com/
-
09-06-2002, 01:11 PM #3Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
There is also an EXPERIMENTAL OpenSSL module for PHP:
http://www.php.net/manual/en/ref.openssl.php
-
09-06-2002, 06:09 PM #4Web Hosting Master
- Join Date
- Nov 2000
- Posts
- 3,046
I would store it in the DB using the method mentioned above (RSA) as long as it is NOT on a multi-user machine (e.g. better be dedicated). I would then email the store owner when they get an order and have a secure backend to login to and view credit cards that need to be processed.
I would avoid sending ANY private information via email.A well-reasoned assumption is very close to fact.
- Adorno
-
09-07-2002, 02:52 PM #5Web Hosting Guru
- Join Date
- Oct 2001
- Posts
- 315
Yup, agree with comphosting. When I build ecommerce sites for customers I do the same thing, just send a notification that "you have an order", and then have them securely log in through an SSL page that actually shows the credit card data. One thing I wanted to add though, I have an extra button that, once they've processed the order, overwrites the credit card information with zeros... no sense storing it. Don't forget - if the server can display the number, then the key is somewhere on the server; someone who hacks root or at least ability to read scripts can gain access to the encrypted data, and the key to unencrypt it.
I wish there was an easy solution for recurring transactions, short of putting them on a floppy on a workstation and keeping the floppy in a safe.
-
09-07-2002, 02:59 PM #6Web Hosting Master
- Join Date
- Jan 2001
- Posts
- 2,605
Originally posted by getweb
Don't forget - if the server can display the number, then the key is somewhere on the server; someone who hacks root or at least ability to read scripts can gain access to the encrypted data, and the key to unencrypt it.Dr. Colin Percival, FreeBSD Security Officer
Online backups for the truly paranoid: http://www.tarsnap.com/
-
09-07-2002, 03:24 PM #7Disabled
- Join Date
- Aug 2002
- Posts
- 1,216
Write, your own blowfish algorithm. That way it can be encrypted on the server side, but decrypted on the client side. This would be the best way to take on this situation in my opinion.
-
09-07-2002, 03:31 PM #8Web Hosting Master
- Join Date
- Jan 2001
- Posts
- 2,605
Originally posted by ChickenSteak
Write, your own blowfish algorithm. That way it can be encrypted on the server side, but decrypted on the client side. This would be the best way to take on this situation in my opinion.
Blowfish is symmetric. If you can encrypt it on the server, you can decrypt it on the server.
You want something asymmetric, like RSA or el gamal.Dr. Colin Percival, FreeBSD Security Officer
Online backups for the truly paranoid: http://www.tarsnap.com/
-
09-07-2002, 03:33 PM #9Disabled
- Join Date
- Aug 2002
- Posts
- 1,216
Originally posted by cperciva
Blowfish is symmetric. If you can encrypt it on the server, you can decrypt it on the server.
You want something asymmetric, like RSA or el gamal.
Yes if they have the key, yet only the people authroized will have the key, and in this sence the "key" is the decryption. Also note how I said client/server I didn't say SERVER/SERVER . Which in this case what he could do is write a c++ script for client side which requires a password to login, and is on client side, and a server side where it just stores the cc#'s. Then the client side goes in & dl's server side to the client side(here is where rsa comes in during the download), and decrypts the c++ program decrypts on the client side.
-
09-08-2002, 02:29 AM #10Web Hosting Master
- Join Date
- Aug 2002
- Location
- Baltimore, Maryland
- Posts
- 580
ahhh, storing cc#'s in databases on WEBSERVERS is a bad idea....but if your gonna do it use blowfish
-
09-08-2002, 08:57 AM #11Web Hosting Master
- Join Date
- Apr 2002
- Location
- AU
- Posts
- 1,049
plaintext and leave it on your webserver with the name order.log
-
09-08-2002, 11:39 AM #12Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
Hi cperciva,
I feel for you man
-
09-08-2002, 11:43 AM #13Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
Let me give you all some friendly advise:
If you don't understand anything about security, then ..
Do NOT use Blowfish
* If you DO understand anything about security then you don't need anybody to tell you not to use blowfish.Last edited by Ahmad; 09-08-2002 at 11:51 AM.
-
09-08-2002, 11:44 AM #14Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
Originally posted by hosticle
plaintext and leave it on your webserver with the name order.log
-
09-08-2002, 11:50 AM #15Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
-
09-08-2002, 11:56 AM #16Disabled
- Join Date
- Aug 2002
- Posts
- 1,216
Originally posted by hosticle
plaintext and leave it on your webserver with the name order.log
-
09-08-2002, 12:20 PM #17Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
Originally posted by ChickenSteak
Best idea, yet . Well anyway's everyone has there own opinion, it's nothing to argue over.
- Unplug your webserver
-
09-08-2002, 05:25 PM #18Web Hosting Master
- Join Date
- Aug 2002
- Location
- Baltimore, Maryland
- Posts
- 580
Originally posted by Ahmad
Let me give you all some friendly advise:
If you don't understand anything about security, then ..
Do NOT use Blowfish
* If you DO understand anything about security then you don't need anybody to tell you not to use blowfish.
-
09-08-2002, 05:40 PM #19Disabled
- Join Date
- Aug 2002
- Posts
- 1,216
lol