Credit Card Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
standouglas
Forum Newbie
Posts: 3
Joined: Fri Aug 11, 2006 4:26 pm

Credit Card Security

Post by standouglas »

I am going to start accepting credit cards. I have a secure sever where I run my formmail script. All that's fine but then my script forwards the order with CC number to another email account.

What I was thinking of doing is in the formmail script on the https:// server
1)I would remove any spaces in the number,
2)and add some prime number to it like: 12764787846358441471
3)then shift it left a few digits with an arbitrary number like 74114
4)then add another prime to it like: 48112959837082048697


Then mail it to the unsecure mail server. When we receive the email we would reverse the procedure to get the actual CC number. Anyone obtaining the email would need to know the seed number and how many digits the number was shifted (I think).

I know it's not rocket science, but wouldn't that work as some protection?

SD
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Very minor amount of protection. And I do mean minor.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

why do you even email it?
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

why do you even email it?
I am also interested.

If you have to do that you are best of using some strong key based encryption.
standouglas
Forum Newbie
Posts: 3
Joined: Fri Aug 11, 2006 4:26 pm

Why email

Post by standouglas »

1) The receiving mail server has a function that calls a cell phone notifying us of an order. The websever does not. This eliminates the necessity of logging on periodically to check for an order.

2) Not sending it as an email so it can be downloaded to the order processing PC would mean storing it in a data base on the website server. Also not a good security idea.

I am looking at trying to implement some form of the blowfish PHP conversions that are floating around. But so far I haven't found any that have enough documentation for me to make use of them.
If you have to do that you are best of using some strong key based encryption.
Any suggestions?

Regards,
SD
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Apparently "there are strict laws governing the processing and storage of credit card information". So you might want to be careful in this area.
Any suggestions?
mcrypt
User avatar
PrObLeM
Forum Contributor
Posts: 418
Joined: Sun Mar 07, 2004 2:30 pm
Location: Mesa, AZ
Contact:

Post by PrObLeM »

I'm pretty sure you can't store the number at all. If you do, you could really get hammered by the CC company and the gov.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Why not just have it send him the email so it calls his cell phone, then log in and get the credit card number?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Most sms providers also have a log that keeps all the messages that have been sent... Basically, you're exposing your customer's credit card numbers to a third party...
standouglas
Forum Newbie
Posts: 3
Joined: Fri Aug 11, 2006 4:26 pm

CC authority

Post by standouglas »

Well, it's pretty evident that any transmittion of a CC# must be encripted and my feeble idea won't be adequate.
Thanks Ole for the heads up to mcrypt.
Does any one know who enforces the CC requirements? Is it the FTC or the CC companies. I found this paper:
Mastercard Manual

I can't seem to locate any one place that states where to get the formal requirements.

It may be that the safest way to do this is to just state on the order form to check "credit card payment" and then either call the customer for it or have them call it in.

Sounded like a good idea a couple of days ago!

SD
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The security requirements are pretty steep. I would suggest the much cheaper and easier solution of using a certified and well regarded third party clearinghouse. There are many out there, some providing better service toward certain industries than others. So some shopping is in order. The nice thing about these clearinghouses is it dramatically reduces the liability you take on for accepting credit cards and other forms of payment.
Post Reply