I just use encrypt/base64 to encrypt cards as sop. Here is my snippet, the
key I choose randomly for each site.
<cfset secret_word_encrypted=
ToBase64(encrypt("#string2beEncrypted#","#key#"))>
<cfset secret_word_decrypted=
decrypt(tostring(tobinary("#secret_word_encrypted#")),"#key#")>
jon
----- Original Message -----
From: "Tony Schreiber" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Friday, May 04, 2001 11:43 AM
Subject: Re: Credit Card DB Encryption Methodology
> Yes, but that's a physical architecture issue. I'm just trying to address
> the software side. I'm surprised there haven't been more comments on this,
> seems to have been a pretty hot topic.
>
> Also, I've realized no site I've been to seems to store cc info this way
> (because I'm not prompted for my password) so I wonder what other schemes
> they are using....
>
> > Sounds very secure, of course you might add that the database in
question
> > should never be on a web server. The database should only be accessible
> > from behind a firewall which permits only the web server's ip to access
the
> > database server.
> >
> > jon
> > ----- Original Message -----
> > From: "Tony Schreiber" <[EMAIL PROTECTED]>
> > To: "CF-Talk" <[EMAIL PROTECTED]>
> > Sent: Thursday, May 03, 2001 3:52 PM
> > Subject: Credit Card DB Encryption Methodology
> >
> >
> > > Ok, I've been reading the last few threads on this and pondering the
best
> > > way to approach this scenario (storing CC in DB) and I've come up with
the
> > > following idea:
> > >
> > > 1) The User's password is stored as a one-way HASH.
> > > 2) The Credit Card info (list of cc number,exp date and verification
> > > number) is stored as an ENCRYPTED string with the User's raw password
as
> > > the key.
> > >
> > > Interface-wise, this requires that:
> > >
> > > a) the user type in their password when Adding or Updating a credit
card
> > > record in the db (so it can be encrypted)
> > > b) the user type in their password when finalizing an order (so the cc
> > > info can be decrypted to be processed)
> > > c) When a user changes their password, all cc records in the database
must
> > > be updated using the old and new passwords
> > >
> > > But this way, neither the users password, the encryption key nor the
cc
> > > info is stored unencrypted anywhere on the server.
> > >
> > > Comments?
> > >
> > >
> > > Tony Schreiber, Senior Partner Man and Machine,
Limited
> > > mailto:[EMAIL PROTECTED]
http://www.technocraft.com
> > >
> > > http://www.simplemessageboard.com ___Free Forum Software for Cold
Fusion
> > > http://www.is300.net ___________The Enthusiast's Home of the Lexus
IS300
> > > http://www.digitacamera.com ______________DigitA Camera Scripts and
Tips
> > > http://www.linklabexchange.com _____________Miata Link ECU Data
Exchange
> > >
> > >
> > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
