>>but hiding the decryption key from technical people is generally >>impossible > > > Only if they crack your application server. Cracking the database or > sniffing packets would not be good enough, assuming traffic to your > credit card company is over SSL.
oh, sure. I guess I had a different mindset with all of that - internal employees. for most big companies I would assume that accessing the underlying Oracle financials database (or some other "enterprise" solution) with _all_ the credit card numbers would be sufficiently difficult for outside hackers. I'd be much more worried about the disgruntled employee causing trouble. but you're right - crackers are a legitimate concern for this kind of thing, and I wasn't aware of the role that verisign is now playing (which I guess is the cost of having worked someplace where we built everything from scratch). so, thanks for the knowledge :) --Geoff -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html