Justin, Good points.
>>> Storing credit card data is serious business and not to be taken lightly. OK, CVV is out of there. Good advice. >> In your case, as a place to start, set up a separate temporary script which generates a key, then take the generated key output and put it in a variable in the request scope in your application.cfc file. Then use request.theKey (or whatever you call it) as the key whenever you make an encrypt() or decrypt() call. OK .... this is a lot to process. I understand the concept; I gotta figure out the script syntax and I am not good at scripting. I will work on this and get back to you. Thank you again for your help. Eric -----Original Message----- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Monday, February 18, 2013 10:32 PM To: cf-talk Subject: Re: decryption question > http://pastebin.com/3xtt3b8k At first glance I'm not sure why it wouldn't find the form variable. You might try explicitly setting the scope in all instances of that variable. Also, why are you paraming it in the form scope? Your form doesn't have a variable called "decrypted" so it will always start out blank. I'd just set a blank variable in the "variables" scope and then set that if you decrypt a card number and use it that way so they're all in the same scope. Also, regarding your encryption keys, you're generating a new key just before the encrypt() call, so it'll go into the database encrypted. However, you're not storing the key anywhere so you won't be able to decrypt on subsequent page loads (since the key is changing every time the page loads). Generally you would generate an AES key and then store it somewhere secure (key management is another whole topic) and then fetch that stored key when you need to use it for encryption and decryption calls. In your case, as a place to start, set up a separate temporary script which generates a key, then take the generated key output and put it in a variable in the request scope in your application.cfc file. Then use request.theKey (or whatever you call it) as the key whenever you make an encrypt() or decrypt() call. That will allow you to use the same key for data going into and coming out of the database. Use that as a place to start, but do some reading on encryption key management before you put it into production. Finally, do not store the CVV in the database. It's against the contract rules for every major credit card processor, the PCI-DSS standards, and will create a lot of headaches if your site is ever hacked. CVV codes are meant for online live transactions only and should not be stored anywhere ever (lots of clients will complain that they need it for offline processing to save some processing fees; tell them too bad and don't store it, no good can come of it). If you aren't familiar with the PCI-DSS, please go to https://www.pcisecuritystandards.org/security_standards/ and look over the information there. Storing credit card data is serious business and not to be taken lightly. -Justin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354582 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
