Please help me...
credit card details - encryption
Moderator: General Moderators
credit card details - encryption
What best method to encrypt credit card details two way (so they can be de-crypted) without the use of mcrypt as I do not have this on my server... I am planning on running the website on a secure server but I will not be putting mysql on a secure server.
Please help me...
Please help me...
He(?) said he had a secure web server so he has the SSL encryption for web traffic. However, he wants to store the credit card information in the database, and want it stored in a reversible encrypted form. Normally I would use mcrypt for this. He said it wasn't availible. PHP has an openssl library as well as mcrypt that could be used, generate a public private key pair, encrypt with the public key for storage, only the secret key can unlock it.JPlush76 wrote:are you using a processing gateway service? Usually they can provide the SSL encryption for you
If neither mcrypt or openssl are on the server I can't think of a PHP implementation of security that I would trust for two way encryption. Its very easy to make mistakes when implementing the algorithms yourself and....
-
Net_Monkey
- Forum Newbie
- Posts: 11
- Joined: Wed Jun 25, 2003 9:40 am
Re: credit card details - encryption
I store the credit card and CVN numbers in a BLOB field and encode them with a passphrase. It works pretty well. The module with the order administration will only output information if it's being viewed over SSL and when the order status is updated to complete, it erases the CVN and all but the last 4 digits of the card number.m@ndio wrote:What best method to encrypt credit card details two way (so they can be de-crypted) without the use of mcrypt as I do not have this on my server... I am planning on running the website on a secure server but I will not be putting mysql on a secure server.
Please help me...
This option has served us well for the last couple years...
I'ld recommend mcrypt, its the better suite of tools for symmetric algorithms and is more mature and therefore more likely to be correct.
Net_monkey's approach sounds OK, but what algorithm are you using to encrypt the data with the passphrase? If its a homegrown solution it probably has problems. If its not homegrown its probably one of mcrypt/opensll....
Net_monkey's approach sounds OK, but what algorithm are you using to encrypt the data with the passphrase? If its a homegrown solution it probably has problems. If its not homegrown its probably one of mcrypt/opensll....
-
Net_Monkey
- Forum Newbie
- Posts: 11
- Joined: Wed Jun 25, 2003 9:40 am
I've been using MySQL's ENCODE/DECODE functions that are built into the database. Then, there's a user-specified passphrase (up to 255 characters in length) that is converted to an MD5 hash and used as the passcode.nielsene wrote:Net_monkey's approach sounds OK, but what algorithm are you using to encrypt the data with the passphrase? If its a homegrown solution it probably has problems. If its not homegrown its probably one of mcrypt/opensll....
I've been looking at some different encryption/decryption methods, but haven't been able to justify the change (backwards compatibility is a big issue). We do supplement the security of the encoding by removing the credit card number and CVN once the order has been processed, so the number is stored locally for a minimal amount of time.
Ok that sounds secure for the uses the OP was posting about. (Of course it means that the data is transfered from the database to the application in the clear, which may be unacceptable.)
The MySQL manual doesn't list what algorithm is used for ENCODE/DECODE. I'ld probably use the AES_* versions they provide so I know whats being used and I know AES is at least decent...
The MySQL manual doesn't list what algorithm is used for ENCODE/DECODE. I'ld probably use the AES_* versions they provide so I know whats being used and I know AES is at least decent...
-
Net_Monkey
- Forum Newbie
- Posts: 11
- Joined: Wed Jun 25, 2003 9:40 am