Freelancers Network
 
skill list top cap
Homepage
Join the Freelancer's Network
Update your details
Find a freelancer
Post a project
Find a project
Projects Archive
Post a job
Find a job
Jobs Archive
See Dan's Pages
See Andy's Pages
Link to this site
Resources
Join/Leave Forum
Forum Messages
+Additions+ Adverts
Advertising
Contact Us
Subscribe to our newsletter - enter your email address and hit return
Freelancers.net is owned and operated by Andy Stowell and Dan Winchester
skill list end cap
guru web hostcom

Find me again on Freelancers.net

RE: FN-FORUM: Storing credit cards

date posted 30th May 2006 11:59

Thanks Robin

Very useful advice

Andy

-----Original Message-----
From: [EMAIL REMOVED] [EMAIL REMOVED] On Behalf Of Robin
Vickery
Sent: 30 May 2006 12:30
To: FN-FORUM / [EMAIL REMOVED]
Subject: Re: FN-FORUM: Storing credit cards


On 30 May 2006 08:28:28 -0000, Andy Creed [EMAIL REMOVED] wrote:
>
> I am sure this subject has been covered before but I want to get advice on
> storing credit cards in a site database rather than using a payment
> processor.
>
> I know this should avoided for obvious reasons. However the client wants
to
> pursue this line of thinking? So if we can discount the fact it is a bad
> idea - what is the best way it can be done.
>
> As symmetrical encryption methods will need to be used what is the best
one
> to use and what other methods should be employed to ensure (as much as
> possible) that data will be kept secure?

If you have to store card details you should be using AES with 256 bit
key size and 128 bit block size preferably in CTR mode, certainly not
ECB mode.

The information you have to keep secure is not confined to the actual
card number - you should also be encrypting expiry dates, issue
numbers and cardholder details.

The encryption keys shouldn't be stored on disk and precautions should
be taken to prevent them being swapped out to disk. They should never,
ever be on an external facing host.

It's a real pain to do properly and unless it *is* done properly then
your client will be violating his merchant agreement. At the moment
the PCI is coming after PSPs for DSS compliance but after this year,
they should be ready to move on enforcing it with the merchants.

-robin

--
Freelancers, contractors earn more with Prosperity4
Call 0870 870 4414 or visit www.prosperity4.com
and benefit from Inland Revenue approved expenses today.

To advertise here: http://www.freelancers.net/advertising.html

Messages by Day
May 31st 2006
May 30th 2006
May 29th 2006
May 28th 2006
May 27th 2006
May 26th 2006
May 25th 2006
May 24th 2006
May 23rd 2006
May 22nd 2006
May 21st 2006
May 20th 2006
May 19th 2006
May 18th 2006
May 17th 2006
May 16th 2006
May 15th 2006
May 14th 2006
May 13th 2006
May 12th 2006
May 11th 2006
May 10th 2006
May 9th 2006
May 8th 2006
May 7th 2006
May 6th 2006
May 5th 2006
May 4th 2006
May 3rd 2006
May 2nd 2006
May 1st 2006


Messages by Month
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
March 2006
January 2006


Messages by Year
2008
2007
2006
2005
2004
2003
2002
2001
2000