Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??

<edit> Just to clarify, I HAVE to store the credit card numbers since the cards will need to be automatically rebilled.

If It was just onetime transactions, there would be no problems.</edit>


Recently an intresting problem has fallen in my lap.

How to securely store creditcards to make them safe incase of a system penetration.

Now, if the transactions I was expecting were one time transactions ( a sale for example ), I would store everything but the last 4 digits, and If the customer was going to make another one time transaction, just ask for the last 4 digits.

But my problem is that I'm expecting recurring billing. A transaction every month , without having the customer to re-enter any information ( for a service based website. Not pr0n ;) Those were my younger broker days ;)

So i'm forced to store credit card numbers. But every day in the news you read about X site being penitrated and Y number of CC's stolen.

Well, I have come up with a number of possible solutions, and im hoping the Monestary can think of the best way for me to do it.

  1. Not encrypt them at all, dubed the "Pray" method. Pray that the system doesnt get penetrated. Rely on MySQL's internal access tables to protect it, and the servers hosts.allow/deny and patches.

  2. Use a simple find and replace encryption. Ie, scramble the numbers up based on a precreated hash. Could be made stronger by randomizing the hash based on a timestamp. THis is easily hacked if the source code is read. Billing can be automatic.

  3. Use PGP. Encrypt the card number with the public key for storage into the database, then have an administrator billing interface where the Private key is cut and pasted into a textbox and the cards are decrypted for billing. Pretty secure, but all a hacker has to do is alter the source code to capture the private key and/or the cc number after its decrpyted. Billing is not automatic since the admin has to enter his private key everyday

So, as you can see there is no perfectly secure way of storing the cards, unless I missed something. Im leaning twords the PGP encrpytion but the annoyance of having to manually do the recurring billing may not make it fly with the boss.

So monks, is there anything I missed?

Pete

insert into pete values('red hair','near green eyes','overinflated ego');


In reply to Encrypting Credit card numbers by petethered

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others imbibing at the Monastery: (7)
    As of 2014-10-31 07:10 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      For retirement, I am banking on:










      Results (215 votes), past polls