storing credit card details

storing credit card details
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
storing credit card details Wayne Evans 03-01-2005
Posted by Wayne Evans on March 1, 2005, 11:10 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I know storing credit card details in a MySQL database is a really bad
idea, but what is the genral opinion on the method described below?

1. Store cc details encrypted in database. Encryption key "randomly"
generated.
2. The randomly generated encryption key is sent to the user but NOT
stored in database.
3. User accesses the order using the encryption key sent to him.
4. Order/cc details deleted from database.

This way the cc details are only on the system for a short length of
time.
I guess the flaw is the email?

Any opinions gratefully recieved!

Cheers,

Wayne


Posted by Tim Hogard on March 2, 2005, 12:39 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Wayne Evans (wayne_m_evans@hotmail.com) wrote:
: I know storing credit card details in a MySQL database is a really bad
: idea, but what is the genral opinion on the method described below?
:
: 1. Store cc details encrypted in database. Encryption key "randomly"
: generated.
: 2. The randomly generated encryption key is sent to the user but NOT
: stored in database.
why? they already have the card number. they dont need a 2nd copy
encrypted or not and they don't need a key for the card number. What
do need is a non guessable key to get order status.

Do you have any legit reason to store card numbers? Also Visa
considers the expire date to be as sensitve as the card number so
you need to encrypt it to (or just don't store any of it)

-tim
http://web.abnormal.com


Posted by Wayne Evans on March 3, 2005, 12:32 am
If you were  Registered and logged in, you could reply and use other advanced thread options
The idea being the cc cards are processed by hand at a later date with
a swipe card machine. As a merchant account is not set up.
And when I refer to cc details, I mean encrypting the dates, names,
everything.


Similar ThreadsPosted
Is Your Credit Card Secure? March 23, 2007, 5:54 pm
Credit card authorization process July 1, 2004, 1:37 pm
Customer rights regarding credit card data retention December 19, 2005, 10:26 am
Database for storing system passwords February 24, 2006, 8:45 am
IT Consulting around Smart Card (New Company) July 30, 2004, 8:01 am
Debit Card Breaches, A Growing Problem? March 4, 2006, 12:38 pm
TCP Spoofing Details January 4, 2006, 12:19 pm
Is Office Max the Point of Compromise in the Debit Card Breach? February 12, 2006, 2:57 am
RSA SecurID authentication details July 16, 2004, 12:53 pm
Driver (etc) for Bull smarTLP3 smart card reader needed May 13, 2004, 3:41 pm

The site map in XML format XML site map

Contact Us | Privacy Policy