SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Evangelist ashattuc's Avatar
    Join Date
    Aug 2002
    Location
    Boise, Idaho
    Posts
    411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Best way to store credit card info

    Hi Folks!

    I need to be able to store credit card information taken from an online form. I don't need to hang onto the data too long, but I need to use it to set up several accounts with other providers on my client's behalf.

    I've read that sending the data via e-mail is a bad idea, and that it's better to store it encryped in a database. My question is how do you do a 2-way encryption for it? I know you can use the MySQL PASSWORD for 1-way, but I'm cluess on the proceedure for 2-way.

    Can anyone help with this?

    Thanks!
    Chris
    Chris S.

    Free Web Scripts - Form generators, AJAX tools and more!
    Micro CMS - A totally free AJAX-based, SEO-ed CMS!

  2. #2
    Grumpy Minimalist
    Join Date
    Jul 2006
    Location
    Ontario, Canada
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you have PHP 5 with the mcrypt library installed, it should be an easy task. What you're looking for is called a symmetric block cypher. Since you're operation is mission-critical (storing credit card information), I'd recommend using a cypher such as 256-bit Rijndael (constant in mcrypt is MCRYPT_RIJNDAEL_256).

    If you don't have mcrypt, you'll either need to install it or use a third party library.

    Keep in mind, all of this server-side encryption doesn't do a thing unless you use strong SSL connections for transferring the credit card information. Also, make sure that you indicate to the users that your system uses encryption, and provide a link to your privacy policy up-front.

    If you want to learn more about symmetric block cyphers, listen to episode 33 of Security Now! (or read the transcripts of the 43 minute audio).

  3. #3
    SitePoint Evangelist nsj's Avatar
    Join Date
    Oct 2005
    Location
    Jamaica (W.I)
    Posts
    447
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    64 bit encryption. not all that good, but easier to use :-)

    http://php.net/base64encode

    and

    http://php.net/base64decode

  4. #4
    SitePoint Evangelist ashattuc's Avatar
    Join Date
    Aug 2002
    Location
    Boise, Idaho
    Posts
    411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So I'm looking at possibly using this tool to encrypt / decrypt the data, and then removing the data from the database as soon as possible:

    http://blog.sc.tri-bit.com/archives/101

    Any thoughts on that approach?

    Thanks,
    Chris
    Chris S.

    Free Web Scripts - Form generators, AJAX tools and more!
    Micro CMS - A totally free AJAX-based, SEO-ed CMS!

  5. #5
    SitePoint Evangelist superuser2's Avatar
    Join Date
    Aug 2006
    Posts
    598
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Don't use base64 for storing credit card info, ever. Period. It's not encryption; it's encoding. It's easy to spot and any base64 encoded string can be decoded by any base64 decoder within millionths of a second. There is no "key"; it's not secret, and it is not for storing data that needs to be secure.

    Mcrypt.

  6. #6
    Resident Code Monkey Chris Corbyn's Avatar
    Join Date
    Nov 2005
    Location
    Melbourne, Australia
    Posts
    713
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by nsj View Post
    64 bit encryption. not all that good, but easier to use :-)

    http://php.net/base64encode

    and

    http://php.net/base64decode
    That is not "64 bit encryption". It's 7 bit for a start. It's "base 64" as in Hex being base16 and decimal being base 10. Base64 is extremely easy to decode... you could pretty easily read a base64 encoded string in your own head if you know how it works, just like many people can interpret hexadecimal (such as quoted-printable) by just looking at it. Even easier if you know that what you're looking at is numeric (i.e. 7-bit ascii all in a close range). Base64 is purely a way of representing strings only with 7-bits. Binary data, or unicode charsets for example use 8-bits and most protocols don't carry 8-bit streams, which is why it's needed.

    You need something that encrypts with a key like one of the options from mcrypt.

    I think it's pretty critical that people realise base64 is completely readable because I have seen confused with encryption so many times before.

  7. #7
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,933
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just put the data in a file encrypted with GnuPG and send it by email. GnuPG utilizes a public key and a private key. The public key is used to encrypt; the private key is used to decrypt. The private key is stored on your private machine and is used to decrypt the file when it arrives. Most servers have PGP or GnuPG installed and good email clients like Thunderbird have extensions that allow it's reversal (with the correct private key of course).

  8. #8
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,191
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    ashattuc:
    To store credit card numbers legally and safe you need to fullfill the different requirements your cc processor has. In addition you will also need to fullfill the requirements to each debit/credit card company (i.e. visa, master card etc).

    This is a difficult process, and since your asking how to do it; you would be better off leaving this to your processor instead of trying to do it yourself.

    Your best shot, would be to setup those accounts asap your client clicks submit and never store any cc information.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •