Re: [PHP-DB] Credit Card Encryption
Ok I've done some research and some thinking. What about storing orders in the database (product info and customer info) and then using GnuPG or PGP to send the credit card info to the merchant? This way the credit card information is not stored on the server or in the database but only in printed format by the merchant. Since my client processes all of the credit card orders by hand this seems like an ideal solution. What is more, the order and customer info do not need to be present in the encrypted emails. That way the email does not contain a customer name, but only an order id (which could even be a unique and hidden value stored via AES in the mysql db). What are your thoughts? Keith - Original Message - From: "Bastien Koert" <[EMAIL PROTECTED]> To: "Keith Spiller" <[EMAIL PROTECTED]>; Sent: Tuesday, December 18, 2007 9:41 PM Subject: RE: [PHP-DB] Credit Card Encryption Think very carefully about what you want to do here. PCI (payment card industry) has radically changed the rules about how CC data is stored in a networked environment. If your data environment is shared (shared web hosting), don't even think about it. There are a large number of rules that you need to follow to make your data systems PCI compliant [ http://www.pcicomplianceguide.org/ ] and they are not easy to follow. Things like strong encryption, code audits by qualified third parties etc. If you absolutely need to store the data (many of my large clients do this): 1. the database server should not be web facing, nor accessible internally by the web servers 2. the access (physical and electronic) should be extremely limited 3. the facility that holds the data should be hardened with limited controlled access 4. provide a cross reference number to the CC that other applications can use to replace the CC number If you are storing transactional data, just store the confirmation number that is returned by the payment gateway that you use. Let the payment gateway assume the risks of handling the data, its what they get paid for. If the data is for re-occurring payments, let the payment gateway handle it, many support these kinds of payments. Bastien From: [EMAIL PROTECTED]> To: php-db@lists.php.net> CC: [EMAIL PROTECTED]> Date: Tue, 18 Dec 2007 18:20:08 -0700> Subject: [PHP-DB] Credit Card Encryption> > Hi Everyone,> > I'm trying to determine the best method to store credit card numbers in a > mysql database. As yet I have been unable to determine whether I should use > MySQL AES, DES or a PHP encryption method. I would greatly appreciate any > advice you guys could offer.> > Thanks.> > Keith > > -- > PHP Database Mailing List (http://www.php.net/)> To unsubscribe, visit: http://www.php.net/unsub.php> _ Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! http://getyourliveid.ca/?icid=LIVEIDENCA006 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Credit Card Encryption
Thanks for the information, especially the PCI Complancy link and info. Keith - Original Message - From: Bastien Koert To: Keith Spiller ; php-db@lists.php.net Sent: Tuesday, December 18, 2007 9:41 PM Subject: RE: [PHP-DB] Credit Card Encryption Think very carefully about what you want to do here. PCI (payment card industry) has radically changed the rules about how CC data is stored in a networked environment. If your data environment is shared (shared web hosting), don't even think about it. There are a large number of rules that you need to follow to make your data systems PCI compliant [ http://www.pcicomplianceguide.org/ ] and they are not easy to follow. Things like strong encryption, code audits by qualified third parties etc. If you absolutely need to store the data (many of my large clients do this): 1. the database server should not be web facing, nor accessible internally by the web servers 2. the access (physical and electronic) should be extremely limited 3. the facility that holds the data should be hardened with limited controlled access 4. provide a cross reference number to the CC that other applications can use to replace the CC number If you are storing transactional data, just store the confirmation number that is returned by the payment gateway that you use. Let the payment gateway assume the risks of handling the data, its what they get paid for. If the data is for re-occurring payments, let the payment gateway handle it, many support these kinds of payments. Bastien > From: [EMAIL PROTECTED] > To: php-db@lists.php.net > CC: [EMAIL PROTECTED] > Date: Tue, 18 Dec 2007 18:20:08 -0700 > Subject: [PHP-DB] Credit Card Encryption > > Hi Everyone, > > I'm trying to determine the best method to store credit card numbers in a > mysql database. As yet I have been unable to determine whether I should use > MySQL AES, DES or a PHP encryption method. I would greatly appreciate any > advice you guys could offer. > > Thanks. > > Keith > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- Books, DVD's, gadgets, music and more. Shop online with Sympatico / MSN Shopping today!
RE: [PHP-DB] Credit Card Encryption
Think very carefully about what you want to do here. PCI (payment card industry) has radically changed the rules about how CC data is stored in a networked environment. If your data environment is shared (shared web hosting), don't even think about it. There are a large number of rules that you need to follow to make your data systems PCI compliant [ http://www.pcicomplianceguide.org/ ] and they are not easy to follow. Things like strong encryption, code audits by qualified third parties etc. If you absolutely need to store the data (many of my large clients do this): 1. the database server should not be web facing, nor accessible internally by the web servers 2. the access (physical and electronic) should be extremely limited 3. the facility that holds the data should be hardened with limited controlled access 4. provide a cross reference number to the CC that other applications can use to replace the CC number If you are storing transactional data, just store the confirmation number that is returned by the payment gateway that you use. Let the payment gateway assume the risks of handling the data, its what they get paid for. If the data is for re-occurring payments, let the payment gateway handle it, many support these kinds of payments. Bastien > From: [EMAIL PROTECTED]> To: php-db@lists.php.net> CC: [EMAIL PROTECTED]> > Date: Tue, 18 Dec 2007 18:20:08 -0700> Subject: [PHP-DB] Credit Card > Encryption> > Hi Everyone,> > I'm trying to determine the best method to > store credit card numbers in a > mysql database. As yet I have been unable to > determine whether I should use > MySQL AES, DES or a PHP encryption method. I > would greatly appreciate any > advice you guys could offer.> > Thanks.> > > Keith > > -- > PHP Database Mailing List (http://www.php.net/)> To > unsubscribe, visit: http://www.php.net/unsub.php> _ Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! http://getyourliveid.ca/?icid=LIVEIDENCA006
RE: [PHP-DB] Credit Card Encryption
And if you do store it, don't store it on the websderver. Make sure it's on another server behind another firewall. You don't want someone that hacks into your web server to have ready access to your database. I think AES is supposed to be the best, then 3DES is next. (That's 3DES, or triple DES, not DES) But like Chris said: if you don't have to, dont do it. But if you must, encrypt all of the personal information data points, not just the CC info. Gary > -Original Message- > From: Chris [mailto:[EMAIL PROTECTED] > Sent: Tue, December 18, 2007 9:30 PM > To: Keith Spiller > Cc: php-db@lists.php.net > Subject: Re: [PHP-DB] Credit Card Encryption > > > Keith Spiller wrote: > > Hi Everyone, > > > > I'm trying to determine the best method to store credit > card numbers in > > a mysql database. As yet I have been unable to determine whether I > > should use MySQL AES, DES or a PHP encryption method. I > would greatly > > appreciate any advice you guys could offer. > > Why do you need to store c/c info? If at all possible, don't. > > If you're looking for something like recurring payments, use > paypal or > one of the other payment providers that support it. > > > -- > Postgresql & php tutorials > http://www.designmagick.com/ > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Credit Card Encryption
Keith Spiller wrote: Hi Everyone, I'm trying to determine the best method to store credit card numbers in a mysql database. As yet I have been unable to determine whether I should use MySQL AES, DES or a PHP encryption method. I would greatly appreciate any advice you guys could offer. Why do you need to store c/c info? If at all possible, don't. If you're looking for something like recurring payments, use paypal or one of the other payment providers that support it. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Credit Card Encryption
Hi Everyone, I'm trying to determine the best method to store credit card numbers in a mysql database. As yet I have been unable to determine whether I should use MySQL AES, DES or a PHP encryption method. I would greatly appreciate any advice you guys could offer. Thanks. Keith -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: [PHP] Re: [PHP-DB] force to download file
i have this on top of my php page:
header("Content-Type: application/vnd.ms-excel");
header("Content-Disposition: inline; filename=excelfile.xls");
but it is not prompt to save the file instead it opens right in IE.
my question is how do i force the browser prompts to save the file?
That should do the trick, but if not then try adding the Content-Type
header from below.
FYI You have Content-Disposition twice; you only need the second.
--
Richard Heyes
http://www.websupportsolutions.co.uk
Knowledge Base and HelpDesk software
that can cut the cost of online support
** NOW OFFERING FREE ACCOUNTS TO CHARITIES AND NON-PROFITS **
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
