Results 1 to 5 of 5
Nov 4, 2009, 15:09 #1
Need suggestions securing Credit Card information
We are in process of developing an ecommerce site where we need to store the credit card information of the user and auto charge their card on certain interval. (Over SSL)
We have planned to use AES with the secret key to encrypt and decrypt the credit card numbers. (Over SSL)
Now, I am not sure how do I handle the auto charge process, a cron job will be running on a certain interval and charge the credit cards of the users.
The only way I see is to assign the secret key in some variable so the cron job can pick it up and decrypt the CC numbers. But I am not sure if that's the best approach to do it..
Nov 4, 2009, 15:31 #2
I don't think you can meet the applicable requirements
Best to leave the storage of cardnumbers to somebody who has the proper security in place. Like payPal (who some think is not realy a pal)
The cron job would be a serious vulnerability as far security goes. It probably gets worse the deeper you get into it.
Nov 4, 2009, 16:21 #3
But then how does the subscription based model work? I have seen many sites charge the CC automatically..
Any ideas how they do it?
I just went through the PCI Compliance link, it says:
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Nov 5, 2009, 07:06 #4
If you want to do it yourself, I think you need to use a "certified" application (see the PCI site) The ones I looked at run around $1k for starters. You also need to be concerned with that the physical security of the servers meets their requirements.
If you come up short, you can get banned by Visa, MC, AX, or whoever.
Nov 5, 2009, 07:21 #5
Oh yes, the PCI Compliance fees is not a problem but what I am more concerned about is, is the way I am going is correct? i.e. on the technical front..
All suggestions welcome