Credit Card Security
Moderator: General Moderators
-
standouglas
- Forum Newbie
- Posts: 3
- Joined: Fri Aug 11, 2006 4:26 pm
Credit Card Security
I am going to start accepting credit cards. I have a secure sever where I run my formmail script. All that's fine but then my script forwards the order with CC number to another email account.
What I was thinking of doing is in the formmail script on the https:// server
1)I would remove any spaces in the number,
2)and add some prime number to it like: 12764787846358441471
3)then shift it left a few digits with an arbitrary number like 74114
4)then add another prime to it like: 48112959837082048697
Then mail it to the unsecure mail server. When we receive the email we would reverse the procedure to get the actual CC number. Anyone obtaining the email would need to know the seed number and how many digits the number was shifted (I think).
I know it's not rocket science, but wouldn't that work as some protection?
SD
What I was thinking of doing is in the formmail script on the https:// server
1)I would remove any spaces in the number,
2)and add some prime number to it like: 12764787846358441471
3)then shift it left a few digits with an arbitrary number like 74114
4)then add another prime to it like: 48112959837082048697
Then mail it to the unsecure mail server. When we receive the email we would reverse the procedure to get the actual CC number. Anyone obtaining the email would need to know the seed number and how many digits the number was shifted (I think).
I know it's not rocket science, but wouldn't that work as some protection?
SD
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
-
standouglas
- Forum Newbie
- Posts: 3
- Joined: Fri Aug 11, 2006 4:26 pm
Why email
1) The receiving mail server has a function that calls a cell phone notifying us of an order. The websever does not. This eliminates the necessity of logging on periodically to check for an order.
2) Not sending it as an email so it can be downloaded to the order processing PC would mean storing it in a data base on the website server. Also not a good security idea.
I am looking at trying to implement some form of the blowfish PHP conversions that are floating around. But so far I haven't found any that have enough documentation for me to make use of them.
Regards,
SD
2) Not sending it as an email so it can be downloaded to the order processing PC would mean storing it in a data base on the website server. Also not a good security idea.
I am looking at trying to implement some form of the blowfish PHP conversions that are floating around. But so far I haven't found any that have enough documentation for me to make use of them.
Any suggestions?If you have to do that you are best of using some strong key based encryption.
Regards,
SD
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
Apparently "there are strict laws governing the processing and storage of credit card information". So you might want to be careful in this area.
mcryptAny suggestions?
-
standouglas
- Forum Newbie
- Posts: 3
- Joined: Fri Aug 11, 2006 4:26 pm
CC authority
Well, it's pretty evident that any transmittion of a CC# must be encripted and my feeble idea won't be adequate.
Thanks Ole for the heads up to mcrypt.
Does any one know who enforces the CC requirements? Is it the FTC or the CC companies. I found this paper:
Mastercard Manual
I can't seem to locate any one place that states where to get the formal requirements.
It may be that the safest way to do this is to just state on the order form to check "credit card payment" and then either call the customer for it or have them call it in.
Sounded like a good idea a couple of days ago!
SD
Thanks Ole for the heads up to mcrypt.
Does any one know who enforces the CC requirements? Is it the FTC or the CC companies. I found this paper:
Mastercard Manual
I can't seem to locate any one place that states where to get the formal requirements.
It may be that the safest way to do this is to just state on the order form to check "credit card payment" and then either call the customer for it or have them call it in.
Sounded like a good idea a couple of days ago!
SD
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
The security requirements are pretty steep. I would suggest the much cheaper and easier solution of using a certified and well regarded third party clearinghouse. There are many out there, some providing better service toward certain industries than others. So some shopping is in order. The nice thing about these clearinghouses is it dramatically reduces the liability you take on for accepting credit cards and other forms of payment.