At 11:21 AM 10/06/2002, David Gerler wrote: >Hi, >Can someone give me an overview >of protecting the numbers with mysql and SSL? Will the SSL protect the >numbers when they are stored on the site? Or just when they are >transmitted? Should I use something like PGP to encrypt the numbers >before storing?
Sounds like you've answered your own questions. :) SSL = Secure Socket Layer. Socket in the sense of a network socket/connection. SSL will NOT ensure protection/encryption of the information once you have it on the server. I've used PGP Command line encryption in the past to do the types of things you're talking about here. However, if you're a programmer or have access to one, you may want to look into using http://www.openssl.org/ to encrypt the numbers before they go into the database. You need to be extremely careful in doing what you're proposing above. If you AUTOMATE some sort of process of charging the cards, then you're likely talking about storing the routines and passwords to retrieve and decrypt the CC numbers automatically. This implies hard-coding a private key and password somewhere on your system. This type of system (IMO) should NEVER be connected to the Internet. At the very least I'd recommend having a separate off-line system where your credit card numbers are archived to, and where that system dials up the bank network to perform the monthly charges. NEVER under any circumstances should you "permanently" store CC's (even encrypted) on systems that are connected to the Internet. I say 2 to 3 days max before archiving them off-line (off-Internet). This minimizes the risk if a hacker should happen to break in. - hawk --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
