The way this is done is over some secure tunnel at the time of transaction. Verisign's (now Paypal's) tags do that, as well as most other companies I believe. Locally you should never store the credit card, only the transaction id from the cc company. If your server is compromised, they cannot get any old cc #'s, although they can probably sniff transactions as they happen, but there's really nothing you can do about that. Just try to keep your server as secure as you can.
Russ > -----Original Message----- > From: Steve Kahn [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 06, 2007 1:27 PM > To: CF-Talk > Subject: RE: Form Encryption > > Very good points across the board. > Technically, I do not need to store the credit card info in the db. > However I do need to securely send/pass/or make available the credit card > info to the receiving company. Maybe there is a better method to do so. > > Steve > > -----Original Message----- > From: Matt Robertson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 06, 2007 12:53 PM > To: CF-Talk > Subject: Re: Form Encryption > > You can use asymmetric-key RSA encryption economically... > > http://developer.perthweb.com.au/textcrypt.html > > I've been using that tool for many years. its about as safe as you > can get for encrypting stored data. Key part of that phrase is "as > you can get". > > The problems with symmetric key encryption were already well-stated. > Don't even think of doing that. In theory a combination of SSL and a > 128-bit RSA encryption provide a commercial-strength solution, but I > would argue that its a horrible idea to store credit card info on a > server you are responsible for. Its such a gross violation of best or > even acceptable practices in the IT and financial industries that the > liability you will bear if the chain of custody on the private key is > compromised... the liability you will personally incur, as well as > what your client will incur... its not worth the risk. > > I would suggest that, if you are storing data encrypt ALL of it to > make the job more difficult. Do not name the fields with > hacker-usable names (like credit_card_number) Use symmetric key > encryption to encrypt first, then use asymmetric to encrypt that. > Access your db server via a 2nd nic and make that 2nd nic go to the > other server via internal IPs only. > > ..... and say your prayers regularly. > > -- > [EMAIL PROTECTED] > Janitor, The Robertson Team > mysecretbase.com > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280288 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
