What do you think is the best way to handle CC numbers in a database for later processing (like HM's order form - they process manually, but how do they store the CC numbers). Just plain text:eek: or what. I f someone got into your database how could you protect the CC numbers? I know encrypt() and decrypt() are not enabled on HM servers and wouldn't matter anyway since some one could jsut use decrypt() to get an encrypted number. Do you think cc nums should be split up into an e-mail and then the rest into the DB? Just trying to find the best (most secure way) since I'll be manually processing all orders. Thanks!

Andy,

There are a few things to consider.

From memory HM use a server that's not available to the Internet - the advantages to owning the machines :)

On a shared server, where all the users have access this can be hard to achieve.

Ideally you shouldn't store card numbers at all. Modernbill uses an encryption method where the key used to encrypt/decrypt is never stored on the server - you must enter it whenever you wish to view the details.

I'm sure others will join in with their experiences.

Here's what I do. The form processing script has a section in it that splits the credit card up into a few pieces. Then, I perform a mathematical operation (add, subtract, multiply are ok - divide is a bad idea) to each piece individually. These pieces go into the database with the order. The orderform & processing scripts are both used via https.

Then, I have a retrieval script that I access with https once again that gives me all the order information, including the still encrypted pieces of the credit card number.

That information is then put into an offline database (saved on removable media, so it's not just sitting on my computer). This still has the encrypted info in case I was to ever lose the media. I decrypt & recompile the number on a piece of paper when I need the CC number for billing. The paper is then shredded. When the shredder gets full, I burn the shreddings.

Anal, ain't it?

Thanks. I believe I'll try something similar to what you have Kevin. I finsihed the order form (except a few cosemtic HTML items) and have begun the processign script. (Goody, regular expressions, MySQL and now mathematical functions and other stuff.:D :rolleyes: ) But I'll probably be using QuickBooks and maybe I'll keep the orders in an access db (password protected and then encrypted using the Blowfish algorithm, then put on a ZIP disk, that is also password protected). Me also have a criss-cross shredder.;)

I'm dealing with this very issue right now, since Authorize.net screwed up my system. (My system was to leave everything on the Authorize.net server and retreive it from there when I needed it ... which doesn't work any more since they've just started putting X's where some of the digits are supposed to be.)

I'm thinking the best way ought to be some kind of GnuPG thingie, where a public key is used to encrypt the data, and a private key (not stored on the server) is used to decode it. Don't take my word for it though, because I don't know what I'm talking about. Anyway, I've been searching around and came up with the following links which look potentially useful although I haven't really digested any of them yet:

http://www.alt-php-faq.com/#id65
http://www.extropia.com/hacks/misc/GnuPG.html
http://www.machineofthemonth.org/articles/a12/page2.html
http://www.nightmedia.net/shop/libraries.html#cryptlib
http://www.titaniumwolf.co.uk/cryptography.htm
http://www.hansanderson.com/php/crypto/encrypt.php3

Using simple math crypt to store cc info is NOT safe at all unless you use private script-files and the cgiwrapper to execute them, if both the mysql user/pass and crypt/math is stored in normal scripts it is way too easy to steal the person/cc info whithout you as a merchant knowing anything about it.

As Dolphyn mentioned it should be either stored or emailed in a crypted format which is not reversible with anything stored on the server. GnuPG is probably the best and easiest way to do it.

In my opinion storing locally should be encrypted as well, with a passphrase and/or key that you do not have stored on the same machine.

Keep in mind that hackers that wants to get to your info will do quite a bit of effort and work to try and get to it.

Would it make the script anymore secure if it was outside public_html? The script that processes the info and inputs it into the database? If yes, would you just include() the processing script in another script that would be the action of the form? Just trying to figure out the best way to set this up. I'm owrking on the eregi stuff and how to require CC fields if they choose CC as payment type.

Then the script would split up the CC and preform some mathamtical operations on it (known only to me) and then notifies me via e-mail, at which point I can grab it through a ecure script and then enter it into a local db (MS Access) and delete it from the online DB. From there I jsut preform normal stuff (confirm order,s etupa ccount, etc.). I'll keep the database on a ZIP disk and I'll encrypt the db file (outside freeware program I have).

Placing scriptfiles outside public_html helps, not a whole lot but it will prevent showing the script if for some reason Apache's php handler where not set right, and no-one can specify a path directly to a file ment for inclusion. But as far as protection database info it doesn't really help anything.

>split up the CC and preform some mathamtical operations on it (known only to me)

That is where you are wrong, if the script knows how to do the the math, a hacker could read the script and the reverse calculations will be really easy to figure out... (Unless you use strong algorythms such as crypto uses, where a keypair is needed, on for encode and one for decode).
Basically, storing sensitive information without such encryption is NOT secure, no matter how much math or number tweaking you do, it is easily reversible.

Whatkind of encryption would you suggest. Something that could be encrypted with a public key and only decrypted using the corresponding private key, which I could use once I downloaded it to my local machine and deleted it fromt he database. How would that be and what would I use?

Search for threads here regarding GnuPG and gpg, cpanel know has the ability to manage keys I believe.