credit card details - encryption

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

credit card details - encryption

Post by m@ndio »

What best method to encrypt credit card details two way (so they can be de-crypted) without the use of mcrypt as I do not have this on my server... I am planning on running the website on a secure server but I will not be putting mysql on a secure server.

Please help me... :cry:
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Is the openssl library on your server?

If no, I would argue for attempting to get either mcrypt or openssl installed. Its definately not worth trying to write a replacement.
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

are you using a processing gateway service? Usually they can provide the SSL encryption for you
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

JPlush76 wrote:are you using a processing gateway service? Usually they can provide the SSL encryption for you
He(?) said he had a secure web server so he has the SSL encryption for web traffic. However, he wants to store the credit card information in the database, and want it stored in a reversible encrypted form. Normally I would use mcrypt for this. He said it wasn't availible. PHP has an openssl library as well as mcrypt that could be used, generate a public private key pair, encrypt with the public key for storage, only the secret key can unlock it.

If neither mcrypt or openssl are on the server I can't think of a PHP implementation of security that I would trust for two way encryption. Its very easy to make mistakes when implementing the algorithms yourself and....
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

gotcha, misread
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

Post by m@ndio »

thanks guys.

how can i tell if openssl is installed on the server? phpinfo?

what do you reconmend, mcrypt or openssl?
Net_Monkey
Forum Newbie
Posts: 11
Joined: Wed Jun 25, 2003 9:40 am

Re: credit card details - encryption

Post by Net_Monkey »

m@ndio wrote:What best method to encrypt credit card details two way (so they can be de-crypted) without the use of mcrypt as I do not have this on my server... I am planning on running the website on a secure server but I will not be putting mysql on a secure server.

Please help me... :cry:
I store the credit card and CVN numbers in a BLOB field and encode them with a passphrase. It works pretty well. The module with the order administration will only output information if it's being viewed over SSL and when the order status is updated to complete, it erases the CVN and all but the last 4 digits of the card number.

This option has served us well for the last couple years...
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

Post by m@ndio »

this sounds a tadd iffy if you ask me... :lol:
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I'ld recommend mcrypt, its the better suite of tools for symmetric algorithms and is more mature and therefore more likely to be correct.

Net_monkey's approach sounds OK, but what algorithm are you using to encrypt the data with the passphrase? If its a homegrown solution it probably has problems. If its not homegrown its probably one of mcrypt/opensll....
Net_Monkey
Forum Newbie
Posts: 11
Joined: Wed Jun 25, 2003 9:40 am

Post by Net_Monkey »

nielsene wrote:Net_monkey's approach sounds OK, but what algorithm are you using to encrypt the data with the passphrase? If its a homegrown solution it probably has problems. If its not homegrown its probably one of mcrypt/opensll....
I've been using MySQL's ENCODE/DECODE functions that are built into the database. Then, there's a user-specified passphrase (up to 255 characters in length) that is converted to an MD5 hash and used as the passcode.

I've been looking at some different encryption/decryption methods, but haven't been able to justify the change (backwards compatibility is a big issue). We do supplement the security of the encoding by removing the credit card number and CVN once the order has been processed, so the number is stored locally for a minimal amount of time.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Ok that sounds secure for the uses the OP was posting about. (Of course it means that the data is transfered from the database to the application in the clear, which may be unacceptable.)

The MySQL manual doesn't list what algorithm is used for ENCODE/DECODE. I'ld probably use the AES_* versions they provide so I know whats being used and I know AES is at least decent...
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

Post by m@ndio »

how can I find out if mcrypt is installed on the server is there a way? phpinfo?
Net_Monkey
Forum Newbie
Posts: 11
Joined: Wed Jun 25, 2003 9:40 am

Post by Net_Monkey »

m@ndio wrote:this sounds a tadd iffy if you ask me... :lol:
Could you elaborate a little more?
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

Post by m@ndio »

well apart from the encryption what methods are you using to transfer the data to the dbms? SSL?
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

Post by m@ndio »

how can I find out if mcrypt is installed on the server is there a way? phpinfo?
Post Reply