Password and Credit Card encryption

@mparker1113Aug 30.2009

I am building a site, and will have it hosted with a public company (ipowerweb.com). I would like to keep customers credit cards in the database.

Does anyone have advice for the best way to secure and encrypt them ? What about storing and encryption of passwords, too (please) ?

Thanks for any insight.

Mike P

to post a comment

PHP

12 Comments(s) _↴

@zahidrafAug 30.2009 — #first it is not allowed that you can save customer cc number however if you really need

You could use base64 functions:

Encode: base64_encode

Decode: base64_decode

@NogDogAug 30.2009 — #You really, really do not want to keep credit card numbers in any manner if there is any way to avoid it. If you do store them, then you had best be prepared to either do a lot of reading on all the regulations involved in doing so or hiring someone who specializes in this, as the legal risks of not doing so could be severe. Your best bet is usually to use a 3rd party billing service, letting them assume the risk of processing/storing the card data.

But if you are going to take on the responsibility and store them, you need to use a strong encryption method, not something easily reversed like base64_encode. MySQL has a number of encryption functions built in, such as AES_ENCRYPT() and DES_ENCRYPT(). But even such encryption is useless if your site can be hacked and your source code read, giving any such hacker info on which encryption method you used and what the encryption key was.

Also, if you are going to be accepting CC info from users, you [i]must[/i] use an SSL encryption in the connection to the applicable pages (HTTP[b]S[/b]).

@JunkMaleAug 30.2009 — #Just use a 3rd party like paypal for your payment gateway. The storage of any banking details requires a number of things that you would have to pay for a https server, the certificates, which are not cheap if you go and buy from a recognised vendor like thwate for example. When I looked up the charges for someone, Thwate wanted $2,799 just for certificates that were for accepting payments.

You would have all sorts of Data Protection issues.

It is far simpler to say that you can save yourself a huge headache and law suits should your site get hacked.

You should look at the various payment gateways that are on offer and let the person paying you decide on their chosen vendor as well as that the use of someone like googlecheckout and paypal or nochecks will add a bit of confidence to the visitor that they have some form of back up should anything go sideways with a payment / goods dispute.

You may want to check with your web host as well to see if they offer a secure payment gateway via their merchants account. Some do and will take a percentage for the trouble which can be more than the charges made by other gateways.

@phantom007Sep 01.2009 — #Sorry if I am intruding in between and if I am talking offtopic.

But do you think that payment gateways like paypal, authorize.net, are they really really hackproof?

I mean is it like no one on this earth can crack their encryption algorithm and hack into their database?

Pls enlighten me.

Thanks

@JunkMaleSep 01.2009 — #Sorry if I am intruding in between and if I am talking offtopic.

But do you think that payment gateways like paypal, authorize.net, are they really really hackproof?

I mean is it like no one on this earth can crack their encryption algorithm and hack into their database?

Pls enlighten me.

Thanks[/QUOTE]

Have you ever tried hacking an http[B]s[/B] server?

http[B]s[/B] operates differently to http.

@phantom007Sep 01.2009 — #Have you ever tried hacking an http[B]s[/B] server?

http[B]s[/B] operates differently to http.[/QUOTE]

Why would I attempt a hack? LOL

I was just curious and hence wanted to know.

@JunkMaleSep 01.2009 — #It was a good question though.

@phantom007Sep 01.2009 — #Well, I wasn't referring to the vulnerability of the protocol. I was referring to the vulnerability in the website/coding/SQL injections etc.

or you mean to say that even if I have sql vulnerabilities in my website and if I use https, i am safe?

@JunkMaleSep 01.2009 — #If you read up, the main vunerabilities seem to lie in the use of frameworks, so I would guess that the best policy is not to use things like ruby on rails on https as it poses a potential keyhole entry point.

As with any web server, yes, you would need to still write secure code and check your inputs, the point about https is that the data is encrypted between the users browser and the server which is why its perfect for secure transactions.

Some Micro$oft tech have cracked an https server but couldn't crack the encryption.

Using https to serve up a website outside of online transactions or user login verifaction, the overhead is not worth wasting the resources on.

@MindzaiSep 01.2009 — #If you read up, the main vunerabilities seem to lie in the use of frameworks, so I would guess that the best policy is not to use things like ruby on rails on https as it poses a potential keyhole entry point.[/quote]

I'm not so sure. Frameworks are used more widely than custom written apps so bugs are experienced by multiple people. Frameworks generally are written by the collective knowledge of many brains, and are usually far more secure than your average program written by your average developer.

Aside from that I agree completely, HTTPS is pretty damn secure, but that's all for nothing if you have gaping holes in your security elsewhere.

And besides which if Paypal etc are hacked, it's not your problem, it's theirs. You really do not want to be dealing with the legal ramifications of having exposed a database of credit card numbers and other personal data due to a security hole in your app.

And so far this is all just talk of software. Depending on where you are located, chances are there are regulations about physical security which would need to be met too.

@JunkMaleSep 01.2009 — #... And besides which if Paypal etc are hacked, it's not your problem, it's theirs. You really do not want to be dealing with the legal ramifications of having exposed a database of credit card numbers and other personal data due to a security hole in your app. ...[/QUOTE]

Which is a point I forgot about.

Physical security, yep, this is the physical location and often these servers are located at banking data centres where the level of security that is required for eCommerce.

@NogDogSep 01.2009 — #While we programmers tend to concentrate on security holes in the code, a lot of hacking is done via "people holes" (that sounds vaguely disgusting). Con jobs/scams to get people's login credentials (phishing being a notorious example), filtering through trash to find useful info in documents that should have been shredded but weren't, people using their pets' names and other easy things to guess if you know something about them (this is partly coding security too, in allowing weak passwords), disgruntled employees providing access or doing the hacking themselves, etc.

Presumably a company dedicated to such billing processes would have efforts in place to address physical security, personnel security, and best practices in terms of code security. A weak link in any one of those areas can bypass the measures taken in the other two areas.

Also in #PHP _↴

need a script to load a csv file into a mysql table abt file if else

Success!

Help @mparker1113 spread the word by sharing this article on Twitter...

Tweet This

Password and Credit Card encryption

12 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Password and Credit Card encryption

12 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

12 Comments(s) _↴

Also in #PHP _↴