I understand the legal ramifications very well - very well versed in it all - I use to design Internet Banking Apps (GUI - not backend) and I am a reseller of Authorize.net... It's in my best interest to use them and I push them continually. I get all your points and agree 100%. I understand it's in everyone's best interest to steer them towards some third party solution. Yep. I know. Got it.
However, I do not feel "walk away from the client" is necessarily the right answer here or very constructive. I mean - cripes - can't we just explore it from an academic perspective?? What if I want to store "something else" as securely as credit card data. Like a cookie recipe. Someone mentions CC's or SSN's and everyone freaks out and tells you to call their lawyer. Well - ok - that's all fine and dandy - point taken - let's move on - that kind of talk doesn't really address the honest question of - - How could you Actually do it responsibly? >From what I gather so far, the steps may be: 1) Make sure the connection is SSL (Obviously) A) Is there a way to verify the connection is secure (or that the SSL hasn't expired?) 2) Save the "Cookie Recipe" in a DB (at the Final Step of Processing) A) Encrypted with "above industry standards" (TBD?) B) Data possibly broken into two parts (maybe separate tables as well?) C) Encryption Key is stored separately - Not on web server - or DB Server (Other comp on same Network? Other DB on the same server??) So the question is Where? How? How does a public/private key system work? (User has to type in "a key" each time they view data? Could the key be a static thing only the Company Admin knows? Like an additional password the need to see the recipe??) What if the key lived on a separate web server at a different location - could you call the key in real time with an SSL http call for encryption??? And Maureen - calling my clients idiots is unfair. Only I get to call them that. Thanks to all for your constructive advice. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330930 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4