Hi Jeremy, I'm also on this team, so I'll open my mouth.
I have always liked the idea of public key encryption of the CC numbers. My
problem has been that in order to implement a solution that meets our needs,
we will run over our production deadlines.
We need a solution that fits the following criteria:
- Works with our current CC processing scheme - CFX_ONCR_CyberCash
- Will work with a 100% cross browser solution
- Be 100% secure
I can think of 2 situations where we need to decrypt the credit card number.
When we send it to the CFX tag and when we return it to the browser to
display it to the member. To remove the latter situation, we can have a
display version of the CC number and only return that.
Russel
============================================================
Russel Madere, Jr. Senior Web Developer
ICQ: 5446158 http://www.TurboSquid.com
Some days you eat the bear; some days the bear eats you.
============================================================
> -----Original Message-----
> From: Jeremy Allen [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 17, 2001 10:34
> To: CF-Talk
> Subject: RE: Storing/Encrypting Credit Cards
>
>
> Matt, I have contemplated this on a couple of occasions.
>
> First, you have to make sure the entire session is
> SSL so that the data can arrive with a degree of security
> to your server.
>
> Next, you should use a public/private key system and encrypt
> the credit card with a public key, store the private key's
> TOTALLY off the server.
>
> Now the only way to unencrypt the credit card is with the
> private key, which you do not have on the internet at all.
>
> The main *idea* behind this is encrypting the CC num with a
> public key, and then only unencrypting it with the private key
> (not on the internet) when absolutely necesarry) rendering
> the database useless unless you have access to the private
> keys.
>
>
> This is grossly oversimplified since on a step by step level
> this is pretty complex.. but thats the idea.. an okay starting
> point there are tons of papers out there (especially dealing
> with php..) about this stuff, so you can get a great starting
> point from some of that documentation.
>
>
> Jeremy Allen
> elliptIQ Inc.
>
>
>
> >-----Original Message-----
> >From: Matt Wisdom [mailto:[EMAIL PROTECTED]]
> >Sent: Wednesday, January 17, 2001 10:47 AM
> >To: CF-Talk
> >Subject: Storing/Encrypting Credit Cards
> >
> >
> >We need to store credit cards in a certain situation. I realize
> >that this is
> >recommended against.
> >
> >That being said, I have searched through the archives, and I
> haven't found
> >any solutions that are great. The best I found was to use a solid ( or
> >"pretty good" ;-) encryption for the credit card numbers in the database,
> >and then force the hacker to figure out how CF is unencrypting
> the numbers.
> >The other suggestions were ways to further obfuscate this
> process, but none
> >were "100%" solutions.
> >
> >An alternate solution I am considering is to store part of the
> credit card
> >in our database, and part in a user cookie, both encrypted of course. We
> >already have a cookie requirement in the case where we need to
> store credit
> >cards, so that is not a problem. Also, I don't think that the users will
> >mind only being able to access their credit cards from the machine from
> >which they were saved.
> >
> >Is anybody utilizing this method?
> >
> >Matt
> >
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
