SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member rockafella's Avatar
    Join Date
    Jan 2008
    Location
    India
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Need suggestions securing Credit Card information

    Hi Guys,

    We are in process of developing an ecommerce site where we need to store the credit card information of the user and auto charge their card on certain interval. (Over SSL)

    We have planned to use AES with the secret key to encrypt and decrypt the credit card numbers. (Over SSL)

    Now, I am not sure how do I handle the auto charge process, a cron job will be running on a certain interval and charge the credit cards of the users.

    The only way I see is to assign the secret key in some variable so the cron job can pick it up and decrypt the CC numbers. But I am not sure if that's the best approach to do it..

    Any suggestions?

  2. #2
    SitePoint Zealot Cassidy's Avatar
    Join Date
    Mar 2009
    Location
    Texas
    Posts
    103
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't think you can meet the applicable requirements

    https://www.pcisecuritystandards.org.../pci_dss.shtml

    Best to leave the storage of cardnumbers to somebody who has the proper security in place. Like payPal (who some think is not realy a pal)

    The cron job would be a serious vulnerability as far security goes. It probably gets worse the deeper you get into it.
    Cassidy
    Income Mobility Make Your Income Upwardly Mobile
    WEB HOST with unlimited domains, Bandwidth, Disk Space, MYSQL
    $25 first year limited time offer Jiffy Hosting

  3. #3
    SitePoint Member rockafella's Avatar
    Join Date
    Jan 2008
    Location
    India
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But then how does the subscription based model work? I have seen many sites charge the CC automatically..

    Any ideas how they do it?

    Update:

    I just went through the PCI Compliance link, it says:

    Requirement 3: Protect stored cardholder data
    Requirement 4: Encrypt transmission of cardholder data across open, public networks
    Which I think we have already covered by encrypting the data.. so PCI Compliance shouldn't be an issue..

  4. #4
    SitePoint Zealot Cassidy's Avatar
    Join Date
    Mar 2009
    Location
    Texas
    Posts
    103
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by rockafella View Post
    But then how does the subscription based model work? I have seen many sites charge the CC automatically..

    Any ideas how they do it?

    Update:

    I just went through the PCI Compliance link, it says:



    Which I think we have already covered by encrypting the data.. so PCI Compliance shouldn't be an issue..
    My opinion is that the best way to do a subscription is through payPal, it's an intrinsic part of their offering.

    If you want to do it yourself, I think you need to use a "certified" application (see the PCI site) The ones I looked at run around $1k for starters. You also need to be concerned with that the physical security of the servers meets their requirements.

    If you come up short, you can get banned by Visa, MC, AX, or whoever.
    Cassidy
    Income Mobility Make Your Income Upwardly Mobile
    WEB HOST with unlimited domains, Bandwidth, Disk Space, MYSQL
    $25 first year limited time offer Jiffy Hosting

  5. #5
    SitePoint Member rockafella's Avatar
    Join Date
    Jan 2008
    Location
    India
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh yes, the PCI Compliance fees is not a problem but what I am more concerned about is, is the way I am going is correct? i.e. on the technical front..

    All suggestions welcome


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •