I am running a website that users enter a credit card # (we have several
hundred thous users and this works fine) and they are stored in the
database, and their membership is renewed monthly. I keep the credit card
#'s in a seperate database with strict permissions, and ALL data is
encrypted using mysqls function so its fast, and the salt to encrypt them is
stored in a binary file readable only by that server and select admins
..never had a problem. if i wanted to make it more secure i am doing
this...i am writing a seperate compiled c program to enter the database and
do the membership renewals, rather than php, and this way the salt used to
decode the credit card info is NEVER on plaintext on the server, and that
program wont run on another server...so no matter how bad we are hacked, it
is very difficult to get the infomation from us. this seems to be a good and
fast method.
----- Original Message -----
From: "Chris Cameron" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, July 01, 2001 4:27 PM
Subject: Storing Credit Cards
> A client has asked us to make him an application that requires us keeping
> Credit Card Numbers. I'm a bit concerned as it immediately remined me of
> egghead.com (having all their CC #'s stolen).
>
> One of the ideas was to have the users password encrypted as an md5 hash,
> and then to encrypt the users CC with their password. So we wouldn't
> actually keep anything that could immediatly show credit card numbers on
> the server. The problem this creates is whenever we need to use their
> credit card, the user needs to enter in their password. Which would be
> quite inconvenient as we'd use it in many places (like showing the last 4
> digits to verify it's the right card).
>
> The only other idea was to just stick them in plain text and keep people
> far away from the MySQL server.
>
> Has anyone had any experience with this? Or any suggestions?
>
> Thanks,
> Chris
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
