On Tue, Aug 10, 2004 at 08:57:14PM -0400, Geoffrey Young wrote: > > >>but hiding the decryption key from technical people is generally > >>impossible > > > > > > Only if they crack your application server. Cracking the database or > > sniffing packets would not be good enough, assuming traffic to your > > credit card company is over SSL. > > oh, sure. > > I guess I had a different mindset with all of that - internal employees. > for most big companies I would assume that accessing the underlying Oracle > financials database (or some other "enterprise" solution) with _all_ the > credit card numbers would be sufficiently difficult for outside hackers. > I'd be much more worried about the disgruntled employee causing trouble. > > but you're right - crackers are a legitimate concern for this kind of thing, > and I wasn't aware of the role that verisign is now playing (which I guess > is the cost of having worked someplace where we built everything from > scratch). so, thanks for the knowledge :) > > --Geoff > > -- > Report problems: http://perl.apache.org/bugs/ > Mail list info: http://perl.apache.org/maillist/modperl.html > List etiquette: http://perl.apache.org/maillist/email-etiquette.html >
This is about to go out to CPAN, but since it seems there is some question as to how to do this, I'll send it out a little early. Attached is a module for safely encrypting and storing credit cards using the Business::OnlinePayment interface. It uses a public RSA key and Crypt::OpenSSL::RSA to encrypt a randomly generated Blowfish symetric key, which is used with Crypt::CBC to encrypt the creditcard details. Also included is a module for reversing the transaction given the RSA private key. This allows one to store creditcards safely on the server, by not putting the private RSA key on the same machine. To retrieve the cards, simply pull the data to an offline machine, and decrypt using the RSA private key. Assuming you aren't an idiot and leave the private key somewhere internet accessible, this should be as proof against hackers as any other credit card processing. enjoy mock
Business-OnlinePayment-StoredTransaction-0.01.tar.gz
Description: application/tar-gz
-- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html