SitePoint Sponsor

User Tag List

Page 3 of 3 FirstFirst 123
Results 51 to 71 of 71
  1. #51
    SitePoint Enthusiast
    Join Date
    Jun 2004
    Location
    nyc
    Posts
    63
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by patrikG
    what would keep anyone from including that script? Compilation or not makes no difference.

    Obviously you are correct if the encoded script simply dumps out a decrypted card number.

    But, my thinking was that the encoded script could also strictly limit the context in which the decryption will occur. For example, only when making a legitimate purchase on the site. I would think that with some well-thought out business logic and context validation this would be possible and would provide dramatically greater security than a naked key.

  2. #52
    SitePoint Wizard REMIYA's Avatar
    Join Date
    May 2005
    Posts
    1,351
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by asp_funda
    You can also use RC4 encrytion which is a 2 way encryption & uses a key to encrypt & the same key is required for decryption.
    Here's a class at PHPClasses http://www.phpclasses.org/browse/package/146.html
    The RC4 encryption is very good.

  3. #53
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Cool

    Quote Originally Posted by REMIYA
    The RC4 encryption is very good.
    yeah!! been using it for quite some time now!!
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  4. #54
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you're working with credit card numbers, you really need to be looking at PKI and using a VPS solution (or dedicated server) so that you can have root level access to get secure protected memory access (that isn't written to the page file).
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  5. #55
    SitePoint Columnist DanThies's Avatar
    Join Date
    Sep 2000
    Posts
    86
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    VISA's CISP program page describes their guidelines, which are based on an evolving industry standard:
    http://usa.visa.com/business/accepti...ment/cisp.html

    I'm no crypto expert, but it's unlikely that storing cardholder data on the web server could possibly meet that standard. I sure as heck would never implement anything that involved storing cardholder data on a web server, that's just nuts. At a minimum, I'd think you would need a separate server behind a firewall.

  6. #56
    Non-Member
    Join Date
    Jan 2003
    Posts
    866
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by b1ind
    Nothing I can really do but inform the client of the risks involved.
    You can refuse the project. I would.

  7. #57
    SitePoint Wizard REMIYA's Avatar
    Join Date
    May 2005
    Posts
    1,351
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by techmonkey
    You can refuse the project. I would.
    Why should he refuse the project?
    It is not his fault that they are not listening to his advices, just have it written as a document.

  8. #58
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Have you no ethics then? Part of being a good software engineer is knowing where to draw the line, and putting peoples personal data at risk, is well and truly having crossed over that line.
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  9. #59
    SitePoint Addict
    Join Date
    Mar 2005
    Posts
    314
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello,

    You could battle this various ways, one way which we do it is use two way encryption in the DB with a 3 layer encrypt/decrypt function.

    In order to view card(s) from the Admin CP, you must supply the valid "keys" associated with the encryption (usually a textbox or some input text) before the number will show or list of cards displayd to the main administrator.

    Keep in mind, it's not legal to store CVV/CVV2/etc (3-4 digit numbers from the back card) in your database. At least I believe this rule applies for US and Canada. You may want to research this for your state/province/country.

    Regards,

    Peter

  10. #60
    SitePoint Member
    Join Date
    Feb 2005
    Location
    Cape Town, South Africa
    Posts
    13
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Guys,

    I need to do something similar, except i will using SSL and i will be emailing the cc no. to the client. I have no experience with this type of thing. But is it safe if i lets say first encrypt it with XOR, then encrypt that with RC4, with 2 different keys, then mail it to the client. His pc will have a script where he can paste the encrypted string, and the 2 keys to get the number...

    Is that acceptable?

    He is being very difficult about wanting ppl to enter their cc no. I have convinced him to make it optional, so i doubt anyone will be entering them anyways ;-), but just in case...

    Thanks

  11. #61
    SitePoint Zealot patrikG's Avatar
    Join Date
    Aug 2003
    Location
    Sussex, UK
    Posts
    129
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Emails are as secure as sending a snail-mail postcard. You're dealing with other people's money. Invest in security, convince your client that a payment gateway doesn't need cost the world and reduces risk by 100%, because the company you buy it from deals with it & it's their job to keep their security up-to-date.

    Security is not only a technical issue.

  12. #62
    SitePoint Member
    Join Date
    Feb 2005
    Location
    Cape Town, South Africa
    Posts
    13
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Patrik,

    But lets say someone intercepts the email...surely it would be impossible for them to crack the 2 level encryption? Also, i will put some junk numbers inbetween the cc number so that the actual length of the encoded sting is not known.

    This is the only thing i can think of at the moment, as the client does not want to pay for ANYTHING, but i really need the money atm, so i cannot pass this on to someone else.

  13. #63
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only safe method in that case, is to use PKI, with a cipher such as AES-256 (Which is used to actually encrypt the data) and a key length of either 1024 or 2048 bits (Which is used to encrypt the session key, used by AES-256 to encrypt the data). As you're dealing with small amounts of data, it'd be difficult to crack either the session key, or the private key.
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  14. #64
    SitePoint Member
    Join Date
    Feb 2005
    Location
    Cape Town, South Africa
    Posts
    13
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Karl, sounds like you really know encryption! I am a total noob though and have no idea what u r talking about

    So i take it my method is totally not secure then? I dont uderstand why? Isnt the only way it can be cracked is if someone hacks the SSL and checks the script?

  15. #65
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The SSL has nothing to do with stopping someone on the server, reading the encryption key you are using from your files when it comes to shared hosting there's always a risk someone can read your key from the file. SSL only protects the information between your suers browser the web server, after that it has no effect.
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  16. #66
    SitePoint Member
    Join Date
    Feb 2005
    Location
    Cape Town, South Africa
    Posts
    13
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    oh crap! thats no good then. so basically any encryption that requires a static key can be easily cracked by hacking the server?

    if i use AES-256, how on earth would i decrypt the data, as the session key changes all the time doesnt it?

    do you have an example for me


    just want to clarify something...the reason my first way wont work is because a person could get the key from the server by hacking it??? what if i were to encrypt the php script? would that be ok?


    thanks

  17. #67
    SitePoint Addict
    Join Date
    Jun 2005
    Posts
    262
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stereofrog
    The solution to your problem would be to use asymmetric crypt, so that your application can only encode CC numbers with public code (stored on the server), but it's no way to decode them without knowing the private one (stored on the administrator's local machine). The are several implementations of asymmetric crypts in PHP, for example http://pear.php.net/package/Crypt_RSA (I didn't test it, so no warranty ).

    If CC numbers should be available for users as well, you need to encode twice: once for each user (using symmetric crypt like blowfish and user's password) and once for admin (using asymmetric crypt).
    Yes, I'm resurrecting an old thread, but after reading various encryption posts, I haven't seen this point touched upon a great deal.

    My situation is, I need to store CC# in a MySQL database to process monthly online subscriptions.

    If I use the above method, I'll have to login to an admin area every 24 hours and process the orders manually using my private key?

    Is the above method considered 'safe'?

    For those that need to process CC on a recurring basis, how do you deal with it?

  18. #68
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Cool

    Quote Originally Posted by champ
    For those that need to process CC on a recurring basis, how do you deal with it?
    safest method is to let your CC processor handle it. almost all of CC processors(atleast the ones I've worked with) allow for recurring charges, so just mention that when charging the customer for the first time & the CC processor would function from there automatically, so you wouldn't need to store CC numbers & do any recurring charges yourself. its easiest way, & a peace of mind.
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  19. #69
    SitePoint Member
    Join Date
    Sep 2006
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's all well and good for recurring transactions that are the same amount every month. But I have a client that wants to automatically charge for his service each month (simple recurring charge, you say?), BUT while the basic amount remains the same -- little incidental charges can be applied to the account during the month, making the final charge different every month -- like a phone or electric bill.

    I'm having trouble finding a payment gateway that can handle that situation, and I refuse to store the CC#'s in the db. (VPS hosting, but only 1 server)

  20. #70
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Any CC processor worth their salt, that offers a recurring solution, will allow you to amend the charge each month - When you setup the initial charge using their API, they pass you a reference back, to this customer/billing item, then in future, you use that reference to make any adjustments.
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  21. #71
    SitePoint Member
    Join Date
    Sep 2006
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Karl,

    This is a new area of development for me, but the client had already set up a LinkPoint acccount. They seem to be a major gateway, but changes to their recurring transactions require the original CC, and EXP info to make a change to the amount.

    I suppose this puts them in the "not worth their salt" category.

    Anyone have suggestions for those that might. Looks like PayFlow Pro does do that with the PNREF value.

    Perhaps I'll move this to a new thread as the forum suggests.

    - b.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •