That's a good idea. Thanks for the info. I'll have to try that.
John Burns Certified Advanced ColdFusion MX Developer Wyle Laboratories, Inc. | Web Developer -----Original Message----- From: Ken Ferguson [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:36 AM To: CF-Talk Subject: Re: Credit card storage I think your best bet is to set the customers' accounts up with your processor as recurring payments on a variable timescale, then you can store just the last 4 digits of their card(s) and their account_id in the processor's system. Then when they want to pay for something you show them a list of their "card numbers" like: Select from your credit cards on file: **** **** **** 8745 **** **** **** 9385 and when you submit the transaction you're just hitting your processor for the recurring account. This way the processor is the one storing the financial data and you are protected from liability... --Ferg Burns, John D wrote: >I have a similar situation with a project I'm working on but it would >required me breaking some of the suggestions posted. The project I'm >working on is a membership site in which members can be doing multiple >transactions within a weeks time. We wanted to allow users to have >their CC info stored on our server to allow them faster checkout times >for all of these transactions. I believe Walmart and a few other large >online stores do this. I was planning on doing some sort of encryption >of the numbers and do some of the other "confusion" based security, but >I'm just wondering if anyone else has dealt with anything like this. > > >John Burns >Certified Advanced ColdFusion MX Developer Wyle Laboratories, Inc. | >Web Developer > > >-----Original Message----- >From: Andy Matthews [mailto:[EMAIL PROTECTED] >Sent: Thursday, September 22, 2005 11:00 AM >To: CF-Talk >Subject: RE: Credit card storage > >Les... > >We've used that same method. Storing half and emailing the other half. >I've got comments in my code stating that I'm "nervous about this part". > >:) > ><!----------------//------ >andy matthews >web developer >ICGLink, Inc. >[EMAIL PROTECTED] >615.370.1530 x737 >--------------//---------> > >-----Original Message----- >From: Les Mizzell [mailto:[EMAIL PROTECTED] >Sent: Thursday, September 22, 2005 9:43 AM >To: CF-Talk >Subject: Re: Credit card storage > > > > >>My question is, is there a safe way to do this. I am pretty reluctant >>to store credit card information >> >> > >I have one client that has insisted on processing their CC order >in-house as well. No matter how hard I tried to talk them out of it. > >What I ended up doing - because I was scared as hell to store a >complete number *anywhere*...(and I *know* it's a convoluted mess...) > >A. First, the entire number is encrypted B. Then 1/2 of it is sent >through email to the client > along with a false random generated "the rest > of the number". >C. The other 1/2 is stored in the database, along with two > additional false fields with random generated > encrypted numbers. >D. Once they login and retrieve the portion from the database, > it's automatically deleted, so nothing stays in the > database for over 24 hours. > >So, I figure if an email is intercepted, and if the encryption is >broken, they've only got 1/2 the number at best, and they still have to >figure out what half they've got. > >Same for the database. If anybody breaks in, they'd only get, at best, >24 hours worth of numbers and even if the encryption is broken, they've >still got to figure out what fields are real and which ones aren't. > >This was the best I could figure out at the time this was done. I'm >*still* pressuring them to move to a merchant account through their >bank for security purposes. I've got a signed disclaimer stating my >disapproval of the method being used. > >Client always knows best, right? Sheesh! > > >-- >----------- >Les Mizzell > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218986 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
