On Tue, 2004-08-10 at 20:01, Geoffrey Young wrote: > that really depends on your business - if you are, say, an ISP that invoices > clients monthly asking them to give your a CC number each month is not > exactly customer friendly :)
Verisign, and undoubtedly others, will store it for you and give you an ID that you can use to charge against it later. This means that someone who compromises your server can't do anything but make more charges that would be transferred to your company's bank account. They also offer an API for setting up recurring monthly charges without keeping the numbers. > at $company we did not encrypt credit card data, which surprised many > people. The big problem is that if someone gets in, and takes the credit card numbers, then a big newspaper story gets published saying that your company didn't encrypt card numbers and you look irresponsible. > but hiding the decryption key from technical people is generally > impossible Only if they crack your application server. Cracking the database or sniffing packets would not be good enough, assuming traffic to your credit card company is over SSL. > sure encrypting it keeps it out of the hands of your sales > people and CSRs. well, unless you let those people add or change credit > card information, in which case they could be writing them down all day... They could be writing down new ones that they are asked to add, but not old ones. - Perrin -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
