Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Re: Storing credit card numbers temporarily (OT)

by gam3 (Curate)
on Aug 13, 2005 at 23:50 UTC ( #483630=note: print w/ replies, xml ) Need Help??


in reply to Storing credit card numbers temporarily (OT)

Could you expand on how you are storing the keys?

Is there only one key for all of the the users?

If you create a new key each time a user submits a CC# then you can store the key in the final submit form in a hidden field. Now you can only decypt the CC# that is in the database when the final form is submitted.

As for the database entry I would have an order AND a cancel button on the web page, so that the user can delete the CC# from the database if they want. You should also expire (delete) the CC# in the database after some (relativly short) amount of time.

-- gam3
A picture is worth a thousand words, but takes 200K.


Comment on Re: Storing credit card numbers temporarily (OT)
Re^2: Storing credit card numbers temporarily (OT)
by phroggy (Monk) on Aug 14, 2005 at 03:04 UTC
    If a user wants to cancel, there's absolutely no reason to think that they'll actually bother to click your cancel button, instead of just clicking some other link. Go ahead and put a cancel button, but it shouldn't actually do anything besides redirect them to another page.
    perl -e '($,,@_)=("er",",\n","l Hack"," P","Just anoth"); print reverse @_;'
Re^2: Storing credit card numbers temporarily (OT)
by bradcathey (Prior) on Aug 14, 2005 at 03:07 UTC

    Hmmmmmm, I only have one key for all. Currently it is stored in a chmod'ed 600 folder off my home directory (not root). I was told this was the safest place. I like your idea of a different key for each! But why in a hidden field? Isn't that too obvious? What about a cookie?

    I did think about the cancel button, but there is still a chance they will bail without clicking it.

    And how do you delete a record from a database automatically? Cron job? Thanks!


    —Brad
    "The important work of moving the world forward does not wait to be done by perfect men." George Eliot
      There is no security difference between a cookie and a hidden field in a form on the client side. They are both likeley to be stored on the hard disk. Having the key in the form just binds it closer to its use so it is less likely to leak out. If you were careful you could get the same effect with cookies -- using path etc.

      It does not matter if someone has the key on the client machine, because the CC# is on your computer. And if they get into the database they will need the key from each client to get the stored CC#s.

      Yes you can run a cron job to remove the old entries.

      -- gam3
      A picture is worth a thousand words, but takes 200K.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://483630]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (9)
As of 2014-08-29 23:26 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (289 votes), past polls