Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??

Fellow Monasterians,

Okay, before you implore me to Super Search, I'm aware of the many nodes on PM dealing with credit card security, encryption, SSL, etc. But a short comment by Zaxo here, that I just stumbled across, got me to wondering about something I am currently doing on an e-commerce site. Here's the scenario:

  • after reviewing the shopping cart (screen 1) and entering their contact info (screen 2), the customer enters the credit card info on a secure form (screen 3)
  • my Perl encrypts the CC# with Crypt::CBC and places it in a "temporary" record in a MySQL table id'ed by session cookie ID
  • customer then sees a summary screen (screen 4) with only CC# snip (xxxx-4321) showing
  • customer clicks the purchase button and the CC# is retrieved, decrypted, and processed by Perl using gateway conventions
  • if successful, the CC record is deleted from the database and the cookie is force-expired

For the sake of argument, let's say temporary storage is safe. But what if the customer bugs out at the summary screen and never makes the purchase, thus never deleting the record? Yikes, I'm storing their CC# when told them I wouldn't.

If I don't store it in a database, where do I store it for the short time I need it? I could:

  • skip the summary screen and just process it (but that goes against current online convention)
  • encrypt them and store them as cookies on the user's machine (merlyn once suggested this in the CB for passwords). I could set the expiration for 5 minutes and not have to worry about deleting it from the DB

Any other ideas for how to temporary store that CC# from the time they submit it to the time they click the Purchase button? Thanks!

Update: In case it matters, I have a shared hosting account on Pair, and use their SSL certificate.

Update 2: So, after a day of watching the replies to my OP, I'm thinking I should encrypt the CC# and place it in a hidden field on my summary screen and either stick with the single key I have already *or* randomly generate a key for that session and store it in a cookie. Am I getting close?


—Brad
"The important work of moving the world forward does not wait to be done by perfect men." George Eliot

In reply to Storing credit card numbers temporarily (OT) by bradcathey

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others browsing the Monastery: (12)
    As of 2014-12-18 13:41 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      Is guessing a good strategy for surviving in the IT business?





      Results (51 votes), past polls