On Wed, Aug 11, 2004 at 09:36:42AM -0400, Perrin Harkins wrote: > mock wrote: > >This is about to go out to CPAN, but since it seems there is some question > >as to how to do this, I'll send it out a little early. Attached is a > >module > >for safely encrypting and storing credit cards using the > >Business::OnlinePayment > >interface. > > Public key encryption is the best that can be done here, but even so, if > a cracker compromises your machine, he can just add a "warn $cc_number" > in your code before you encrypt it. Your old cards will be safe though. > > - Perrin
It's (almost) exactly equivalent to any other credit card processing. The blackhat in question could add a warn statement to any credit card processing (unless it's a third party payment system like PayPal). The only other risk with this system is that if you lose your private key then the security is compromised. This really isn't an additional risk, as the credit card processors you are relying on have the exact same problem. There is the additional problem with external processors, in that they are often vulnerable to man in the middle attacks, which if I was a h/cracker (which I suppose I am at times -- come to our security conference in Tokyo in November http://www.pacsec.jp -- shameless plug) would be the first place I'd attack. As you said though, your old cards will be safe. mock -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html