Re: [U2] Credit Card info
In message 32605-1263604391-637...@sneakemail.com, Tony Gravagno 3xk547...@sneakemail.com writes Final note: I recommend breaking up any secure data you have and storing it in different files. A compromised credit card number is no good without other data including name, address, zipcode, phone number, etc. If you store the card ID in pieces, and encrypted, and separate from this other data, then even if the environment is compromised, the only person who could make use of the data would be someone who is intimate with your code and file structures. That was something I was thinking of. I saw on Risks where somebody discussed this print only the last four digits of the card number. I *think* actually, that's NOT what you should do for credit cards. The reason is strange, but makes sense ... Certainly with Barclaycard/Visa, the *first* four digits are pretty much constant per the issuer. It's the last digits that vary most. So if you only display the *first* four digits, you will give enough info to the card owner for him to identify his card, but any attacker will only be able to identify the bank that issued the card. All Barclaycards, for example, begin with 4929 iirc (or they did, I think there are a couple of other variants around now). Other cards are, I gather, the other way round. That article on Risks was how people who didn't understand WHY a particular 4-digit group had been chosen, arbitrarily changed it and thereby actually undermined the entire security behind the idea. The danger is if different people print different bits of the number. An attacker can then put the whole number together from different printouts. Either way, if you're going to print 4 digits, DON'T pick which four at random or because someone else says this is the four. Ask yourself WHY pick that four, and there's a damn good argument which tells you which set to pick, and it isn't just because they're the first, or the last. Cheers, Wol -- Anthony W. Youngman pi...@thewolery.demon.co.uk 'Yings, yow graley yin! Suz ae rikt dheu,' said the blue man, taking the thimble. 'What *is* he?' said Magrat. 'They're gnomes,' said Nanny. The man lowered the thimble. 'Pictsies!' Carpe Jugulum, Terry Pratchett 1998 Visit the MaVerick web-site - http://www.maverick-dbms.org Open Source Pick ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Credit Card info
Typically, the last four are unique amongst corporate cards under a buyer who may buy for different departments or facilities with different departmental buying cards. They all are issued by the same bank so identifying a specific charge later is hard to do if you don't know the auth code and the last four. We run across this often with SmartPay 2 cards for the US Gov and related firms. There are 4 issuing banks for all of the cards so it's not a good idea for us to use the first four. Even then it can be difficult to do if the charged amounts are the same. We store card meta data in the orders to help with this, instead of being forced to sift through a batch report of hundreds of charges per day. Glen On 1/16/2010 6:37 PM, Anthony W. Youngman wrote: In message 32605-1263604391-637...@sneakemail.com, Tony Gravagno 3xk547...@sneakemail.com writes Final note: I recommend breaking up any secure data you have and storing it in different files. A compromised credit card number is no good without other data including name, address, zipcode, phone number, etc. If you store the card ID in pieces, and encrypted, and separate from this other data, then even if the environment is compromised, the only person who could make use of the data would be someone who is intimate with your code and file structures. That was something I was thinking of. I saw on Risks where somebody discussed this print only the last four digits of the card number. I *think* actually, that's NOT what you should do for credit cards. The reason is strange, but makes sense ... Certainly with Barclaycard/Visa, the *first* four digits are pretty much constant per the issuer. It's the last digits that vary most. So if you only display the *first* four digits, you will give enough info to the card owner for him to identify his card, but any attacker will only be able to identify the bank that issued the card. All Barclaycards, for example, begin with 4929 iirc (or they did, I think there are a couple of other variants around now). Other cards are, I gather, the other way round. That article on Risks was how people who didn't understand WHY a particular 4-digit group had been chosen, arbitrarily changed it and thereby actually undermined the entire security behind the idea. The danger is if different people print different bits of the number. An attacker can then put the whole number together from different printouts. Either way, if you're going to print 4 digits, DON'T pick which four at random or because someone else says this is the four. Ask yourself WHY pick that four, and there's a damn good argument which tells you which set to pick, and it isn't just because they're the first, or the last. Cheers, Wol ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Credit Card info
Actually, it's a Visa REQUIREMENT to print only the last 4 digits of a Visa card number on sales receipts, etc. Larry Hiscock Western Computer Services ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users