[PHP-DB] Re: Storing Credit Cards, Passwords, Securely, two-way encryption
Neil made a great post about storing credit card data at your own site securely. I thought I'd add a note: If you do implement his suggestion, I'd suggest adding a Reference type situation: (1) When you add credit card data to the system, have it return a valid Reference to that credit card. This Reference is only valid within your office. (2) Store the credit card Reference with the end-user record (for monthly billing) (3) To run a monthly billing, simply send the credit card Reference, with the $amt to your secure credit card server for processing. It keeps the log, and returns a simple SUCCESS or ERROR return Note: Make sure to store the billing data with that credit card #, so you keep your rates down. DanB Neil Smith [MVP, Digital media] <[EMAIL PROTECTED]> wrote: [SNIP] As Bob's book is so bloody good, here's the ASIN for it in case you want to read all 650 pages of good advice ;-) http://www.amazon.com/gp/product/0130464562/qid=1136589506/sr=8-1/ref=pd_bbs_1/104-3174210-9795945?n=507846 HTH Cheers - Neil -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: Storing Credit Cards, Passwords, Securely, two-way encryption
On Fri, 6 Jan 2006, Dan Baker wrote: "Peter Beckman" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] So I'm thinking about how to save credit card numbers in the DB, for re-charging cards for subscriptions, new orders, etc. I'm also thinking about how to save passwords in the DB, not plaintext, but not one-way encrypted either. Any suggestions? How would I secure the database? I'm thinking some abstract process in code, or something -- security through obscurity. [Summary: Call Verisign, pay THEM to store credit cards for you] What, exactly, does VeriSign do, that makes you so sure that they have secured the credit card information any better than I could, using a well-thought-out system? Do you even know? You just hear "VeriSign" and believe they have smart people that have more resources available to them to do a better job securing the data? Maybe this makes sense if you are doing a few hundred or a few thousand dollars of business a month, but if you are planning on doing $5,000 to $10,000 a day, it is a lot of added expense to have someone else do it, when I could have it done internally. It is the how. Please, no more replies saying don't do it. Beckman --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: Storing Credit Cards, Passwords, Securely, two-way encryption
"Peter Beckman" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > So I'm thinking about how to save credit card numbers in the DB, for > re-charging cards for subscriptions, new orders, etc. > > I'm also thinking about how to save passwords in the DB, not plaintext, > but > not one-way encrypted either. > > Any suggestions? How would I secure the database? I'm thinking some > abstract process in code, or something -- security through obscurity. Suggestions? Oh, I've got some of them: (1) Call VeriSign (just bought by PayPal) (2) Do NOT store credit card numbers/dates/ccid's anywhere. (yes, that ends in a PERIOD) (2B) Obviously you will need to store the credit card data for a brief while, so you can at least run the credit card. BUT, it shouldn't be stored for any longer than a few hours (See #3 below) (3) Using a service like VeriSign, when you get the credit card information, run a charge of that card immediately (maybe a $1 handling charge). This will give you a magic reference# assigned to that credit card data at the service. VeriSign calls this a PNRef (I think). You can then use this reference for all future charges to that same credit card. (4) Make sure to get the billing zip code and street address for the credit card. This reduces your cost per transaction. (5) Did I mention to NOT store credit card numbers? DanB -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php