Hack Hawk wrote:
>> This implies hard-coding a private key and password somewhere on your >> system. This type of system (IMO) should NEVER be connected to the >> Internet. > > Agreed and doubly agreed. In fact, I'd say you should never save a CC # in your database _ever_ unless you're doing routine billing to it from accounting software. If you just want to 'remember' the user's CC # so they don't have to type it back in then don't -- point out on the website that that would be a security risk and for their own safety, you'd like them to re-enter the card # every time they make a purchase. >> NEVER under any circumstances should you "permanently" store CC's >> (even encrypted) on systems that are connected to the Internet. > > Agreed. >> I say 2 to 3 days max before archiving them off-line (off-Internet). >> This minimizes the risk if a hacker should happen to break in. > > Or seconds ... 2 or 3 days is a long time in hacked-time; set up a write-only encrypted pipe to send the cards (if indeed you must store them) to a database which can only be read from locally and doesn't allow any form of login or connection from the webserver machine except the write-only db connection. Stupid SQL spam filter ... -- Michael T. Babcock C.T.O., FibreSpeed Ltd. http://www.fibrespeed.net/~mbabcock --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
