Page 1 of 1
Credit Card Security
Posted: Fri Aug 11, 2006 4:52 pm
by standouglas
I am going to start accepting credit cards. I have a secure sever where I run my formmail script. All that's fine but then my script forwards the order with CC number to another email account.
What I was thinking of doing is in the formmail script on the https:// server
1)I would remove any spaces in the number,
2)and add some prime number to it like: 12764787846358441471
3)then shift it left a few digits with an arbitrary number like 74114
4)then add another prime to it like: 48112959837082048697
Then mail it to the unsecure mail server. When we receive the email we would reverse the procedure to get the actual CC number. Anyone obtaining the email would need to know the seed number and how many digits the number was shifted (I think).
I know it's not rocket science, but wouldn't that work as some protection?
SD
Posted: Fri Aug 11, 2006 4:55 pm
by feyd
Very minor amount of protection. And I do mean minor.
Posted: Fri Aug 11, 2006 4:59 pm
by Luke
why do you even email it?
Posted: Fri Aug 11, 2006 6:25 pm
by Ollie Saunders
why do you even email it?
I am also interested.
If you have to do that you are best of using some strong key based encryption.
Why email
Posted: Fri Aug 11, 2006 6:42 pm
by standouglas
1) The receiving mail server has a function that calls a cell phone notifying us of an order. The websever does not. This eliminates the necessity of logging on periodically to check for an order.
2) Not sending it as an email so it can be downloaded to the order processing PC would mean storing it in a data base on the website server. Also not a good security idea.
I am looking at trying to implement some form of the blowfish PHP conversions that are floating around. But so far I haven't found any that have enough documentation for me to make use of them.
If you have to do that you are best of using some strong key based encryption.
Any suggestions?
Regards,
SD
Posted: Fri Aug 11, 2006 6:50 pm
by Ollie Saunders
Apparently "there are strict laws governing the processing and storage of credit card information". So you might want to be careful in this area.
Any suggestions?
mcrypt
Posted: Fri Aug 11, 2006 7:16 pm
by PrObLeM
I'm pretty sure you can't store the number at all. If you do, you could really get hammered by the CC company and the gov.
Posted: Fri Aug 11, 2006 7:18 pm
by Benjamin
Why not just have it send him the email so it calls his cell phone, then log in and get the credit card number?
Posted: Sat Aug 12, 2006 7:35 am
by timvw
Most sms providers also have a log that keeps all the messages that have been sent... Basically, you're exposing your customer's credit card numbers to a third party...
CC authority
Posted: Sat Aug 12, 2006 9:04 am
by standouglas
Well, it's pretty evident that any transmittion of a CC# must be encripted and my feeble idea won't be adequate.
Thanks Ole for the heads up to mcrypt.
Does any one know who enforces the CC requirements? Is it the FTC or the CC companies. I found this paper:
Mastercard Manual
I can't seem to locate any one place that states where to get the formal requirements.
It may be that the safest way to do this is to just state on the order form to check "credit card payment" and then either call the customer for it or have them call it in.
Sounded like a good idea a couple of days ago!
SD
Posted: Sat Aug 12, 2006 9:15 am
by feyd
The security requirements are pretty steep. I would suggest the much cheaper and easier solution of using a certified and well regarded third party clearinghouse. There are many out there, some providing better service toward certain industries than others. So some shopping is in order. The nice thing about these clearinghouses is it dramatically reduces the liability you take on for accepting credit cards and other forms of payment.