perlmeditation
petethered
<hr><b><edit></b> Just to clarify, I HAVE to store the credit card numbers since the cards will need to be automatically rebilled. <P>If It was just onetime transactions, there would be no problems.<b></edit></b><hr><P>
Recently an intresting problem has fallen in my lap.<P>
How to securely store creditcards to make them safe
incase of a system penetration.<P>
Now, if the transactions I was expecting were one
time transactions ( a sale for example ), I would store
everything but the last 4 digits, and If the customer
was going to make another one time transaction, just
ask for the last 4 digits.<P>
But my problem is that I'm expecting recurring billing.
A transaction every month , without having the customer
to re-enter any information ( for a service based website.
Not pr0n ;) Those were my younger broker days ;)<P>
So i'm forced to store credit card numbers. But every
day in the news you read about X site being penitrated
and Y number of CC's stolen.<P>
Well, I have come up with a number of possible solutions, and im hoping the Monestary can think of the best way for me to do it.<P>
<ol><li><b> Not encrypt them at all</b>, dubed the "Pray" method. Pray
that the system doesnt get penetrated. Rely on MySQL's internal
access tables to protect it, and the servers hosts.allow/deny
and patches.<br><br></li>
<li> <b>Use a simple find and replace encryption</b>. Ie, scramble the
numbers up based on a precreated hash. Could be made stronger
by randomizing the hash based on a timestamp. THis is easily
hacked if the source code is read. Billing can be automatic.<br><br></li>
<li> <b>Use PGP.</b> Encrypt the card number with the public key for
storage into the database, then have an administrator billing
interface where the Private key is cut and pasted into a textbox
and the cards are decrypted for billing. Pretty secure, but all
a hacker has to do is alter the source code to capture the private
key and/or the cc number after its decrpyted. Billing is not
automatic since the admin has to enter his private key everyday<br><br></li></ol><P>
So, as you can see there is no perfectly secure way of storing the
cards, unless I missed something. Im leaning twords the PGP
encrpytion but the annoyance of having to manually do the recurring
billing may not make it fly with the boss.<P>
So monks, is there anything I missed?
<P>
<b>Pete</b><P>
<font size=1>insert into pete values('red hair','near green eyes','overinflated ego');</font>