Re: SOT - Passing Credit Card info w/o storing in DB
heh heh. i had something like that going at my last job. i think i spent 20 hours making an elaborate scheme like that - by the time they were done paying for the coding I had done, they could have paid for a fully-functioning gateway twice over. oh well, clients will be clients, and no matter what you tell them, they are going to do what they want. big props for you getting them to sign off on the liability issue. that's huge. Security by obscurity! On 6/6/07, Les Mizzell <[EMAIL PROTECTED]> wrote: > > Matt Robertson wrote: > > The robot has it right. You should only be transmitting cc info via a > > secure gateway to a cc processor, > > Agreed > > I've got one client that INSISTS on processing their web CC payments > themselves. The only thing I could come up with that made me comfortable: > > 1. I've got a signed statement from them saying I'm not liable for > anything that may happen due to their wicked ways! > > 2. The card number is split into 6 segments > a. 3 of which are encrypted and stored in a database > b. Expiry month is encrypted and stored in a database > c. other 3 segments are emailed to them > d. expiry year is emailed to them. > > They have to log into their admin system to retrieve the missing 1/2 of > the CC info. As soon as they access it, it's automatically erased and > replaced with random numbers, also encrypted. > > I figure if anybody breaks into the system, and finds CC1 through CC6 > fields in the database, 1/2 of which is real numbers and 1/2 which is > fake, and all of it is fake after less than 24 hours and all is > encrypted - even if they broke the encryption they'd still only have > half of the needed info and no idea of which half they had... > > It's convoluted, but it's about as secure as I could figure out how to > do and still meet their request. Won't do it again for anybody else > though. > > ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280372 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOT - Passing Credit Card info w/o storing in DB
Matt Robertson wrote: > The robot has it right. You should only be transmitting cc info via a > secure gateway to a cc processor, Agreed I've got one client that INSISTS on processing their web CC payments themselves. The only thing I could come up with that made me comfortable: 1. I've got a signed statement from them saying I'm not liable for anything that may happen due to their wicked ways! 2. The card number is split into 6 segments a. 3 of which are encrypted and stored in a database b. Expiry month is encrypted and stored in a database c. other 3 segments are emailed to them d. expiry year is emailed to them. They have to log into their admin system to retrieve the missing 1/2 of the CC info. As soon as they access it, it's automatically erased and replaced with random numbers, also encrypted. I figure if anybody breaks into the system, and finds CC1 through CC6 fields in the database, 1/2 of which is real numbers and 1/2 which is fake, and all of it is fake after less than 24 hours and all is encrypted - even if they broke the encryption they'd still only have half of the needed info and no idea of which half they had... It's convoluted, but it's about as secure as I could figure out how to do and still meet their request. Won't do it again for anybody else though. ~| Create Web Applications With ColdFusion MX7 & Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280307 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SOT - Passing Credit Card info w/o storing in DB
The robot has it right. You should only be transmitting cc info via a secure gateway to a cc processor, where keeping the data safe is their problem. Just clarifying in case your client wants something like cc nums emailed to them or somesuch. I've had a few of those requests. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280302 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SOT - Passing Credit Card info w/o storing in DB
Just pass it over a secure channel such as SSL. Let the other end worry about storing the CC data. Assuming the other end is a CC processor, you've got nothing to worry about. Russ > -Original Message- > From: Steve Kahn [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 06, 2007 2:48 PM > To: CF-Talk > Subject: SOT - Passing Credit Card info w/o storing in DB > > Does anyone know if this can be done or have suggestions to a better > method? > > Securely passing credit card info entered into a form to a recipient > without > storing it in a database? > > > > TIA > > > > ~| ColdFusion MX7 and Flex 2 Build sales & marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280295 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SOT - Passing Credit Card info w/o storing in DB
Use a gateway? On 6/6/07, Steve Kahn <[EMAIL PROTECTED]> wrote: > > Does anyone know if this can be done or have suggestions to a better > method? > > Securely passing credit card info entered into a form to a recipient > without > storing it in a database? > > > > TIA > > > > ~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280289 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4