He realizes that there are security problems and that's why he's asking for help. That also implies that he doesn't really have a choice in this matter. Sometimes it isn't a customer requirement, it's a client requirement. I had this as a client requirement on a project before and they were not willing to back down on this even after five developers working for two companies told them not to do it. Here was the rationale: "They do it on Amazon and we want to make it as easy for people as Amazon."
To answer Chad's question, hashing the credit card number might work for you. It might work best to hash other unstored information with the credit card number just to make it a bit more complex data set, perhaps the expiration date. I can't recommend a specific hash function because I don't know specifics on any of them. I just have an idea how they work. Keep in mind that if you hash the credit card number you'll need to store the information somewhere else for processing. It is common to show the last four digits of the credit card number so the users can verify that they are using the credit card they mean to use. You would have to store this information separately from the hashed credit card. A friend of mine was looking over my shoulder yesterday when I replied to this thread and he was really impressed with the number of security-minded developers involved in this discussion. At 01:39 PM 1/28/02 -0500, you wrote: >Store everything but the number and communicate with the users why yo >u are not storing them. Asking them to retype everything is a pain b >ut just the CC, na, I don't think you would here anyone complain, the >y would probably like that... > > >>> [EMAIL PROTECTED] 01/28/02 12:48PM >>> >What about return visitors that want to store their CC number? MD5 h >ash on > >the number? then store it in the database? > >At 11:56 AM 1/28/2002 -0500, you wrote: > >here here, all we keep are the last 4 numbers.....let the banks worr >y > >... > > > > >>> [EMAIL PROTECTED] 01/27/02 07:00PM >>> > >Don't store the credit card numbers at all. Just process the transa >c > >tion > >immediately and store the rest of the order information. > > > > > > > >----- Original Message ----- > >From: "Jeff Fongemie" <[EMAIL PROTECTED]> > >To: "CF-Talk" <[EMAIL PROTECTED]> > >Sent: Sunday, January 27, 2002 7:17 AM > >Subject: Best way to store credit cards in database? > > > > > > > Sunday, January 27, 2002, 10:12:15 AM > > > Hello CF-Talk, > > > > > > I've got a simple site, and uses a small Access database. We wi >ll > > be > > > taking credit cards. > > > > > > Wondering what others consider a realistic practice to ensure > > > security to a reasonable level. What do others do? > > > > > > The site will have a SLL, but I'm thinking along the lines of > > > encrypting the card number. However, I know how unsecure ColdFu >si > >ons > > > encryption is, so why bother? > > > > > > If people do somehow encrypt the card number, would you be will >in > >g > > > to give examples? And I guess I'll need a way to unencrypt the > > > numbers in an admin area. > > > > > > I've seen where a site will store half of the number, and the s >ec > >ond > > > half gets sent by email to the shop owners. Then the shop owner >s > > > need to go in and match up the numbers. > > > > > > Thanks for any advice, recommendations on this. Now available in a San Francisco Bay Area near you! http://www.blivit.org/mr_urc/index.cfm http://www.blivit.org/mr_urc/resume.cfm ______________________________________________________________________ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists