RE: storing credit card numbers in a database

[Nick Wagner]

Title: storing credit card numbers in a database

it would be safer to encrypt the credit card number at the application level, and insert that string into the database, because anyone with a decent sniffer would be able to pick it out of the SQL*Net code. Whether or not they even have access to the database. 

 

-----Original Message-----
From: Richard Ji [mailto:[EMAIL PROTECTED]
Sent: Friday, February 21, 2003 12:40 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: storing credit card numbers in a database

Besides the DBMS_OBFUSCATION_TOOLKIT, Application Security Inc also has a product to encrypt data in the database.  Check out their web site www.appsecinc.com.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, February 21, 2003 3:25 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: storing credit card numbers in a database

We have been looking at a similar requirement..so far it seems if you want to use oracle's encryption (DBMS_OBFUSCATION_TOOLKIT)  tool kit encryption has to be done in code and passed to the database and vice versa.

 

There is a product called secure.data for oracle database from protegrity which claims to be application transparent..I have not worked with that but it is an option.

 

Thanks
Mohammed Ahsanuddin
Oracle DBA
-----Original Message-----
From: Chris Stephens [mailto:[EMAIL PROTECTED]
Sent: Friday, February 21, 2003 2:06 PM
To: Multiple recipients of list ORACLE-L
Subject: storing credit card numbers in a database

I've been asked to find out a way to encrypt credit card numbers and store that encrypted string in the database.  ...any oracle functions or functionality to do this? ....or would we have to encrypt the numbers in the application and then pass that string to the database?

We don't want anyone to be able to get to the numbers even if they have access to the table in which it is stored.

Thanks for any input
chris