On Thu, Feb 18, 2010 at 5:44 PM, Matthew Smith <chedders...@gmail.com>wrote:
> > I want to encrypt billing information an ecommerce app. I know the > argument > against storing it, and we are considering not storing it. But I just want > to explore options. > > So I can encrypt in cf with aes, or in sql server with a certificate and > triple des symmetric key, or both cf AND sql server. > > What is the best choice? > > What is required for PCI compliance? > > Also, if I encrypt in sql server with a certificate and key, if I back up > the live server and restore locally, will the data be accessible? Are the > certificates and keys movable? > > The ONLY reason you would need to store the credit card, is if you are going to move to a new merchant / payment gateway in the future and you run a subscription service requiring members to make regularly scheduled payments, and even then.... The main issue with storing the credit card data is, you can't store the CAV2 / CVC2 / CVV2 / CID Codes... If you want to thwart fraudulent transactions, you are most likely going to validate against the card holders address and the CVV2 code. What else would you need to do with the card? Without the CVV2 code, you could have issues creating additional transactions against the card unless you tell your gateway not to require it BUT that's an all or nothing setting at the gateway level so if you say no, all transactions will go through. This is why I love Authorize.Net's CIM processing. http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/ Each customer is setup at authorize.net with a profile and that includes their payment information. In the future if we need to charge the card, we just send a transaction against that customers payment profile at authorize.net I don't need to store the credit card and the website is in PCI compliance off the get go. Well of course this includes your standard ssl and all that stuff cfqueryparams and things to keep your application safe as a whole. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330938 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
