Encrypt credit card numbers

I want to encrypt credit card numbers in database, what is the best way to go?
Is it a good way to go? http://framework.zend.com/manual/2.3/en/modules/zend.filter.set.html#encryption-with-blockcipher
Or which way do you suggest to go?

However, things are more complicated than that. You also have to secure you infrastructure and your keys (two or more persons should have parts of the key).

Check more on

Use a third party credit card processor and don’t store credit card information on your server at all. Limits your liability in case your server gets hacked.

1 Like

True!

I know that PCI compliancy requires lots of things, e.g. 3rd-party security scanner, appropriate Apache configuration, SSL etc. and I am not actually going to collect CCs, I just want to learn and enrich my knowledge about how good is to store CC?

  1. Just that BlockCipher http://framework.zend.com/manual/current/en/modules/zend.filter.set.html#encryption-with-blockcipher is enough with the key stored in config.php rather than db?

  2. Another way I was thinking is BlockCipher above first, then notify admin that a user did enter his CC but it is not secure, so he should login asap, decode the CC which was encoded above, and re-encode it with OpenSSL http://framework.zend.com/manual/current/en/modules/zend.filter.set.html#encryption-with-openssl
    considering that key in config.php (the one used for BlockCipher above) as public key and he should enter a private key that knows only himself and is not stored in server and update this encryption?
    The first way, is better or secod or do you suggest any better?

I work in a company that works with CCs so… I don’t think someone will give you a complete answer. A complete solution will be a security breach for that company.

All I can say is that 1) Is not a valid solution.
About 2) I do not know what do you mean by “a user did enter his CC but it is not secure”.

isn’t that a contradiction?

1 Like

Isn’t that where the credit card details are stored on a server connected to the internet.

So… the client enters the CC into some form. It’s your form!
What makes it “not secure”?

Who? The admin? You want to wake the guy up each time a CC is “not secure”?
This can be automated, of course. But, again, how do you know that “did enter his CC but it is not secure”

What is the problem of http://framework.zend.com/manual/current/en/modules/zend.filter.set.html#encryption-with-blockcipher to secure CCs? As @vectorialpx provided a pdf, there is mentioned that AES with a min. 128 bits key would be fine. 128-bits is 16-characters, so for sure a 62-characters key (512-bits) is enough fair.
That zend module by default uses AES with sha256. Isn’t it good to go?
As said here http://www.ijircce.com/upload/2014/march/22_AES.pdf a 64-characters (512-bits) key lengh is better than 16 and 32 characters.
or is it a reliable class? https://github.com/andrew-kandels/php-credit-card-freezer/blob/master/CreditCardFreezer.php
PCI compliancy is another topic which is out of topic here. Here I am just talking about encrypting methods for CC.
Please advice.

unfortunately not. If you want to store CC information—in whatever form, encrypted or not—on your system, you must be PCI compliant. The mentioned PDF gives you details of PCI compliant encryption methods, so that should answer all theoretical questions regarding CC encryption.

I know but as I said the topic here is only encryption methods how is the best way to encrypt CC numbers.

if you’re not gonna store CCs anyways, why bother with the appropriate encryption methods?

Okay, forget about CC, I mean whatever the f*** data! I hope instead of these useless answers, I’d get a useful advice about the most reliable encrypt method!
Which is more secure? AES-128 or AES-512?
For AES-512 does this mean I should have a 64-characters key? or does this mean I should use another algo than rijndael-128 for AES?

If you said what you actually wanted in the first place you might not have got “useless” answers.

1 Like

:smile: Okay my mistake,
so I hope to get a useful answers to my latest reply above.

Here http://framework.zend.com/manual/current/en/modules/zend.crypt.block-cipher.html#zend-crypt-blockcipher

  1. I need to use AES-512, does this mean that the key must be 64-characters, or AES-512 means that sha512 should be used?
  2. Is AES-512 more secure than AES-126?

there are different types of security.

from a brute-force aspect AES-512 is more secure (see also https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks).

but if the encryption keys are compromised, neither version is any good.

1 Like

Thanks, since it has nothing to do with CC anymore, I created a new thread, please advice this one:

you should use https connection while recieving the data and encrypt it with user-variable dependent salt using AES 128 or AES 256 bits encryption.

Additional security is also required while reproducing the origional data. never store raw data. It would be best to use third party specilized in this service.