Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Aug 2002
    Posts
    35
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Encrypt creditcard number and store in DB

    My client want to store and retrieve creditcard number in SQL server, and they want encrypt that info.

    But I have not done any encryption before. Can someone help me out, give me some guide line and advices?

    Thank you for all your helps

  • #2
    Senior Coder
    Join Date
    Jun 2002
    Location
    UK
    Posts
    1,137
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I personally would not advise storing credit card info online, if it is necessary use the last 4 digits.

    scroots
    Spammers next time you spam me consider the implications:
    (1) that you will be persuaded by me(in a legitimate mannor)
    (2)It is worthless to you, when i have finished

  • #3
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Originally posted by scroots
    I personally would not advise storing credit card info online
    I agree. Amazon used to do it until they got hacked. Its just a too large of a security risk to store such sensitive information online.
    OracleGuy

  • #4
    Senior Coder
    Join Date
    Jun 2002
    Location
    41 8' 52" N -95 53' 31" W
    Posts
    3,660
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Actually I'll third that opinion... I would leave credit card number storing/authorization up to the company that you process credit cards with - i.e. authorize.net, cybersource, etc.

    They have interfaces already created where your client can view credit card transactions, refund, charge, etc.

    There's no reason to put your company at risk by storing sensitive information if you don't have to (and possibly subjecting that information to hackers, in the case your server is compromised) - that's the job of the companies that process this information routinely.

    As someone who regularly shops online, I am reassured when a company asks me to re-supply my CC information if there was a glitch or whatnot, since they don't store it.
    Last edited by whammy; 01-29-2003 at 01:45 AM.
    Former ASP Forum Moderator - I'm back!

    If you can teach yourself how to learn, you can learn anything. ;)

  • #5
    Regular Coder
    Join Date
    Jul 2002
    Location
    Las Vegas, NV - USA
    Posts
    104
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Same -- do not store the credit card info; only store the minimal (last four or five digits of card number and card type is usually enough) for auditing purposes.

    The only exception to this rule would be a periodic billing application where you bill accounts monthly, quarterly, etc. In this instance, I would recommend against having the data available for any purpose via the web -- an internal system only. Also, in this case you are required to encrypt the information to hide it from prying eyes, not hackers (even though you should do your best to prevent hacking). If a hacker got this far, your data is gone anyway because he/she would most likely also have access to your encryption key(s).
    Steven Sommers (blog)
    Shift4 Corporation -- www.shift4.com

    Creators of $$$ ON THE NET(tm) payment processing services.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •