Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Storing Credit Card #'s

Status
Not open for further replies.
degroat

degroat

Programmer
Sep 15, 2003
58
US
I thought I was going to be able to avoid storing the #'s in the system that I'm developing, but it has turned out that that is not the case.

So, can anyone point me in the right direction. The server we're using is not on location so (from what I've read) I know that causes some problems. I'm really not all the familar with encryption and decryption. I've used md5, but that's about it.
 
Sort by date Sort by votes
Well, md5 is not an encryption algorithm, it's a hashing algorithm -- as such, it's one-way. Classically, it's used for authentication -- the user's password is stored in hashed form and any user password is also hashed by the same algorithm. Then you can compare the stored password with the user-provided one without being able to know what the password actually is.


I've been dealing with e-commerce systems for a while now, and I've never needed the customers complete CC number. As most, I've needed the last four digits. Why must you store customer credit-card numbers in their entirety?

It's possible to keep CC numbers secure when their stored. Amazon, for example, keeps the CC numbers on file to make checkout easier. But they have a three-tier system: database server, application server, web server. Only the application server can access the data -- the web server can only access the application server. That way, a hacker has to go through three machines to get at the data.

Then you place all kinds of extremely paranoid intrusion-detection systems on the links between the tiers. Anything untoward happens, and that link is killed.

Then there are additional safeguards on top of that.

Do you have the capability to provide that level of network-level security?

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
Yea.. that'd be a no. :)

Here's my problem... As you have probably figured out through previous posts, I'm developing a system to sell art prints online. We have one supplier for all 90,000+ prints that we'll have available. This is made possible because our supplier is simply a distributor for a number of companies that actually publish the art. So, when a customer places an order, the system will automatically generate an email to our supplier. Our supplier will then order the art from the necessary publishing companies and once they receive the art, they will drop ship it directly to the customer. So, the process from the time the customer places the order until the art is actually being shipped to the customer can take days.

This is an issue because law requires that a credit card not be processed until the product has been shipped to the customer. What I have to do is pre-authorize the card and then post-authorize to finalize the transaction once the product has been shipped. The problem is that there is a relatively good chance that at some time it will take longer to get the product shipped than the credit card company will hold the funds. If this happens, I'll have to re-run the transaction or we're SOL (especially when you consider that this issue wouldn't be discovered until the package is already in transit to the customer).

Additionally, my boss wants their CC information so we can do refunds without having to get the card back from the customer. Personally, I don't think the customer will mind at all if they have to give their CC to you again to get money back. Unfortunately, he's a constant Amazon user so he wants the same functionality.
 
Upvote 0 Downvote
I strongly recommend against storing the CC number in its entirety.

The only time you will need the credit-card number is in the case of having to put a transaction through again after a funds capture has expired. In the cases of refunds and authorizations as the product ships, all you need is the transaction number provided by your CC clearinghouse.

What does "the server we're using is not on location" mean?

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
You say "only time" but we think that this is going to happen pretty often.

What I mean is that server that this is stored on is not in this building. So, using an ecryption that requires a key that is not stored directly on the machine isn't really possible.

 
Upvote 0 Downvote
The only other option I can think of is to have the credit cards #'s emailed to me when the order is placed. The email would be sent using PHP from a page on a secure server. What do I have to do to make sure the email is secure when sent?
 
Upvote 0 Downvote
I was just reading this interesting thread... Did you ever work out a solution?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
Stored Procedures and triggers
Replies
9
Views
249
penguinspeaks
penguinspeaks
boylesg
  • Locked
  • Question
Can't sort my table by a particular column, records are returned in autinc order.
Replies
4
Views
299
spamjim
spamjim
EdLentz
  • Locked
  • Question
Looking for suggestions on how to do this
Replies
4
Views
221
Chris Miller
Chris Miller
BobThornton
  • Locked
  • Question
Drop/Truncate tables based on a stored procedures value 1
Replies
6
Views
287
BobThornton
BobThornton
dylim
  • Locked
  • Question
SQL_CALC_FOUND_ROWS still runs in MySQL 8.0.29
Replies
2
Views
302
dylim
dylim

Part and Inventory Search

Sponsor

Back
Top