Page 1 of 3
Secure PHP - Credit Card processing system
Posted: Sun Sep 14, 2008 12:21 am
by gotts
Hi,
I need some serious advice. A client wants me to create a page for him where users can enter credit card details in order to pay for a specific service. The problem is that the client doenst want it paid and processed immediately and therfore things like paypal are not an option.
I know there are many major concerns in storing CC information but I thought of a possible solution and I wanted some feedback:
Ofcourse using a SSL connection a page will accepts all user details including Credit Card details.
PHP wil lthen split the CC number into two parts - The First 12 digits (Part 1) and the last 4 digits (Part 2)
A randomly password will then be generated and used to encrypt Part 1 and then Part 1 and all other user details will be stored in mysql database.
Another random password will be generated to encrypt Part 2 of CC - the PASSWORD will be stored in the database and Part 2 together with the Expiry date of CC and a userid (generated after inserting above record into DB ) will be EMAILED to the site adminstrator. Also the password from Part 1 will be included in the email.
The adminstrator on receiving the email will login to the page and provide to a ssl webpage form the designated USERID, Password for Part 1,Expiry date of Credit Card and the encrypted Part 2.
Php will then do the rest - find the record in DB and decrypt both part 1 and part 2 and display all information to user. User will then do a manual credit card process and then all data is deleted from database.
I know this is clumsy but my client doesnt mind and it seems like the safest option to me. No full CC number stored on any database. No generally stored password which could be compromised etc.
Please give me feedback. Thanks so much.
Re: Secure PHP - Credit Card processing system
Posted: Sun Sep 14, 2008 2:46 am
by jaoudestudios
What encryption are you going to use?
What else is the database storing? Probably be worth storing the CC in a different database on another server!
Re: Secure PHP - Credit Card processing system
Posted: Sun Sep 14, 2008 7:09 am
by gotts
not going to work for me - dont have access to another db on another server.
You dont think the solution is secure? Where is the vulnerability?
Re: Secure PHP - Credit Card processing system
Posted: Sun Sep 14, 2008 10:35 am
by jaoudestudios
The encryption is one of the important factors. What type of encryption are you planning on using?
Re: Secure PHP - Credit Card processing system
Posted: Sun Sep 14, 2008 10:38 am
by gotts
based on the system i suggested and since passwords are going to be unique for every transaction i thought symmetric encryption would be fine. Correct?
Re: Secure PHP - Credit Card processing system
Posted: Sun Sep 14, 2008 2:36 pm
by jaoudestudios
I meant which library mcrypt?
http://uk3.php.net/mcrypt
Re: Secure PHP - Credit Card processing system
Posted: Sun Sep 14, 2008 3:08 pm
by Mordred
1. Read this before using mcrypt:
viewtopic.php?f=34&t=87834
2. Encrypt the email as well
3. Split the CC in two equal parts
To break it, one has to have access to all three points: database, email and source (for the key to decrypt the email)
Be very very careful in the implementation. If you and the client really care about securing this, I strongly suggest a 3rd party review of the code and protocol.
Re: Secure PHP - Credit Card processing system
Posted: Sun Sep 14, 2008 4:17 pm
by Weirdan
As Mordred said, encrypting email is essential part, because email could pass several hosts not under your control before finally arriving at admin's mailbox.
Re: Secure PHP - Credit Card processing system
Posted: Sun Sep 14, 2008 11:46 pm
by gotts
How would you suggest encrypting email?
I thought it was enough that the senstive data (half a cc number and expiry date) was already encrypted within the email.
Is that not sufficient?
Remember I am encrypting both ends - sensitive data sent to Database is encrypted with a password 1
sensitive data being emailed is encrypted with password 2
Password 2 is stored in the database for decrypting the email data
Password 1 is sent in the email for decrypting the database data
I thought that was already overkill?
Re: Secure PHP - Credit Card processing system
Posted: Mon Sep 15, 2008 1:57 am
by Mordred
Encrypt it with the same API you use for the other data, then send the encrypted mail body with the same API you use for sending emails. As for "why", Weirdan and me already pointed several reasons.
Re: Secure PHP - Credit Card processing system
Posted: Mon Sep 15, 2008 7:07 am
by gotts
ok thanks.
can you recommend any API's to use
Re: Secure PHP - Credit Card processing system
Posted: Thu Oct 23, 2008 10:12 pm
by Lukevdp
Do a search for phpcreditcard on google, its a new script that I wrote that tackles your security problem by having the private key stored on the local machine and accesses the database with a windows app using openssl.
Re: Secure PHP - Credit Card processing system
Posted: Fri Oct 24, 2008 12:12 am
by j4IzbInao
I'm speaking only from my own background but here in Scandinavia every payment provider offer the solutions for not using instant capture from the account. I.e. the is not withdrawn from the customers account upon buying the product. Instead the owner of the site has to go and manually approve each transaction and then the reserved amount is withdrawn from the customers account.
I do not know if this is applicable in your case but if it is, be sure to check if any of the existing & for you available providers have this option and save yourself the hassle of storing other peoples credit card information.
For an example, see the following documentation about different capture methods:
http://tech.dibs.dk/10-step-guide/10-st ... f-capture/
Re: Secure PHP - Credit Card processing system
Posted: Fri Oct 24, 2008 12:55 pm
by Hannes2k
Hi,
storing CC is a realy sensitive topic.
Here are my recommendations:
- "A randomly password will then be generated"
With only php functions, it is realy hard to generate a secure random password. If you just use rand or mt_rand, there are most times just 2^32 = ~4 billion possible passwords, and thats to easy to crack. So you need other random sources, in the best case you can read data from /dev/random or /dev/urandom.
If you have not this possibility, it becomes realy nasty. Maybe you can build a md5 hash of mt_rand/rand + user informations (HTTP referer, which browser, Name of the User, birth date and so on) + system informations (memory_usage etc.) and use this hash as your key for encryption. Try to use each random source you can access with the php client.
My solution would be:
Use an one-way encryption, e.g. RSA. Create an RSA key pair, store the public key in your php file and encrypt the whole credit card number (all informations in one single block!) with RSA. But you have to use a padding schema, e.g., pad the CC with random numbers (here you also need a good random source) up to a length of e.g. 1024 or 2048 bits (depends on the key size). Without a padding schema, this would be realy insecure!
Now store the encrypted CC in your database. If an attacker breaks into your server, he cannot decrypt the CCs because he do not have the private key (but he can modify randomly the CCs). But he can sniff all further CCs, just by manipulating your scripts.
The next question how your admin gets the CCs. One possible solution is by an extra tool, e.g. written in Java. The Java client, which is just on the private computer from your admin, connects with a (password secured) php webservice and asks the web service if there are new entries in your database.
If there is a new entry, the java client gets the encrypted credit card info from your webservice, decrypt it with the private RSA key, which is stored in your java client, and presents the infos to your admin. The php webserivce should delete the informations after a confirmation from the java client, that he had received all the data.
The java client should be only stored on a secure system. And you should encrypt the private RSA key in the java client e.g. with AES, so that the admin first have to enter a password for starting the java client (and decrypting the private key).
I hope this helps you and meets your (or the admin) needs of the system.
The secure usage of RSA is not so easy, so you should read some papers about it (e.g. the chapter in applied cryptography from Bruce Schneier). Also sometimes it is hard to get a fast & secure php implementation of RSA, so it would be good, if you can run own programms (e.g. written in C). If this is not possible, you can just use a 1024 bit RSA key (which is secure enough) and have to use the bc-library of PHP.
There are also some (official) guidelines who to handle with CCs. You should read some of them.
Re: Secure PHP - Credit Card processing system
Posted: Fri Oct 24, 2008 11:21 pm
by DrTom
In the United States (or dealing with Visa / Mastercard / AMEX ) if your site stores, processes, or transmits a card number, you are required to comply with PCI DSS (check
http://www.pcicomplianceguide.org). This is an absolute nightmare. It's difficult and expensive.
Also none of the above mentioned security methods are PCI Compliant. Or really even close.
If there's anyway you can convince them to use some other payment method, I strongly advise it. Credit Card numbers are a nightmare to deal with. Just an absolute nightmare.