Hi all, your points are well taken, and I'm not trying to put the cc numbers into a database for the very same reason.. I do, however, have to put it into the session as part of the checkout process, before I even get to use a payment gateway (after that it'll get obfuscated right away, and I only store the last 4 digits, yes..). Since session files are non-encrypted, and the system may at some point run on a shared server, I would like to encrypt at least the number before I put it in.
Sounds good? Thanks for all your help. And thanks Dustin for reminding me of the plugin. I completely forgot about it. :) Have a great day, Daniel On Jun 12, 5:30 pm, "Alistair Stead" <[EMAIL PROTECTED]> wrote: > There are major implication of storing such data and in the UK there are > particularly stringent restrictions on how and where you can store such > data. I believe this goes as far as dictating hardware setup etc. > My advice would be evaluate the reason why you are storing this information > and think about shifting this task to a dedicated payment gateway service. > These services are setup to ensure all legislation is covered and users > personal data is protected. If you are storing data for delayed or repeat > billing these service should be able to facilitate this. > > I have in the past been asked by a number of clients to store this data so > they could process orders manually through a PDQ terminal... All to save > paying for a payment gateway. > > Although the risk may seem small. Just imagine the implications of someone > gaining access to your server? (This does happen) > > Alistair > > 2008/6/12 Dustin Whittle <[EMAIL PROTECTED]>: > > > > > > > Also, see the dwCryptPlugin for a simple interface to mcrypt encryption. > > > - Dustin > > > On 6/12/08 2:33 PM, "Lee Bolding" <[EMAIL PROTECTED]> wrote: > > > > You may want to check this :http://en.wikipedia.org/wiki/PCI_DSS > > > before you go ahead and do that. > > > > "A company processing, storing, or transmitting payment card data must > > > be PCI DSS compliant or risk losing their ability to process credit > > > card payments and being audited and/or fined" > > > > I think you'll find that one way functions are mandatory, and that > > > you're only ever allowed to store the last 4 card digits in plain. > > > > On 12 Jun 2008, at 22:02, Richtermeister wrote: > > > >> Thanks Mohammad, > > > >> that is exactly what I was looking for! > > >> And another reason to get mcrypt working on my server ;) > > > >> Thanks again, > > >> have a great day. > > > >> Daniel > > > >> On Jun 12, 1:37 pm, "Mohammad Ali Safari" <[EMAIL PROTECTED]> > > >> wrote: > > >>> Hi, > > >>> I use the methods in PHP mcrypt module. > > > >>> I have these two methods: > > > >>> // Decription Encryption > > >>> public static function encrypt($string, $key){ > > >>> $cipher_alg = MCRYPT_RIJNDAEL_128; > > >>> $iv = mcrypt_create_iv(mcrypt_get_iv_size($cipher_alg, > > >>> MCRYPT_MODE_ECB), > > >>> MCRYPT_RAND); > > >>> $encrypted_string = base64_encode(mcrypt_encrypt($cipher_alg, $key, > > >>> $string, MCRYPT_MODE_CBC, $iv)); > > >>> $iv_encode = base64_encode($iv); > > >>> return $encrypted_string.'_'.$iv_encode; > > >>> } > > > >>> public static function decrypt($encrypted_string, $key){ > > >>> $cipher_alg = MCRYPT_RIJNDAEL_128; > > >>> list($encrypted_string, $iv) = explode('_', $encrypted_string); > > >>> $decrypted_string = mcrypt_decrypt($cipher_alg, $key, > > >>> base64_decode($encrypted_string), MCRYPT_MODE_CBC, > > >>> base64_decode($iv)); > > >>> $len = strlen($decrypted_string); > > >>> $j = $len-1; > > >>> while ($decrypted_string[$j] == "\0") $j--; > > >>> $decrypted_string = substr($decrypted_string, 0, $j+1); > > >>> return $decrypted_string; > > >>> } > > > >>> where $key is some fixed value stored in my app.yml file. > > > >>> --Mohammad > > -- > Alistair Stead > Senior Interactive Developer > > Mobile: +44 (0) 7788 107 333 > Email: [EMAIL PROTECTED] > WWW: designdisclosure.com > > The information contained in this email is confidential and may contain > proprietary information. It is meant solely for the intended > recipient/recipients. Access to this email by anyone else is unauthorised. > If you are not the intended recipient, any disclosure, copying, distribution > or any action taken or omitted in reliance on this, is prohibited and may be > unlawful. Please consider the environment before printing this e-mail. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
