Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Mar 2005
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Encryption for sending Credit Card Numbers via Email

    Hello:

    I am currently working on a project where the client would like their visitors to be able to provide credit card information online.

    An SSL certificate will be put in place to protect the information as it travels between client and server, however they do not wish to use PayPal or anything of the sort to process the payment. They want the credit card information emailed to them so they can process it themselves. The credit card information would not be stored anywhere, other than in the email I suppose, and it would be their responsibility to delete that promptly.

    (Personally, I think they should go with PayPal to process payments for them and avoid the whole can of worms that comes along with receiving their customers' credit card numbers. If something goes wrong, you know who it will come back to .)

    I do not have any experience with encryption, hence my apprehension about this project -- the closest I come is using md5 to hash passwords stored in a database.

    I have taken a look at mcrypt in order to encrypt the credit card information. Would another webpage be needed in order to decrypt the information? Would mcrypt be "safe enough"? We do not have our own webserver, so how much trouble am I going to cause our server admin by using this?

    I have also been looking at GnuPG, which has Outlook plugins available (though the most recent posts I can find about this are from 2002). This would allow the recipient of the email to decrypt it locally. But again, I'm not sure what needs to be installed on the server... our server admin is already complaining that when he rebuilds that box, it will be a nightmare since it's had so many customizations already.

    So, I guess what I'm asking is: does anyone have experience with this, and what is the best solution?

    Thanks for your time!

  • #2
    Regular Coder
    Join Date
    Apr 2004
    Posts
    102
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Well first thing that comes to mind is Educate your client. If you dont educate your client there going to think this is a great idea, and think your suggestion is just going to cost them money short term. Tell them about the long term affects, security implications. If they still dont pay attention to what your saying then there honestly not using your services to there full advantage, and if thats the case you may want to rewrite your contract with them stating you wont be held reliable for any data loss such as Credit Card Details, this may first wake them up and go with the solution or prove to show that they honestly arent interested in security and just thinking about saving a buck in the short-term.

  • #3
    Regular Coder Coastal Web's Avatar
    Join Date
    Oct 2004
    Posts
    225
    Thanks
    12
    Thanked 3 Times in 3 Posts
    Since you didn't ask your opinion on the idea, l'll keep my mouth shut, and just show ya an idea... here is a basic encryption/decryption script that won't "give up the goods" if the user doesn't have the correct unlocking key...


    PHP Code:
    <?php 

    $key 
    'THIS IS MY MAGIC KEY'//<- can be edited to be anything....

    //basic function used to encrypt, and decrypt the log file
    function encrypt($string$key)
    {
    $result '';
    for(
    $i=1$i<=strlen($string); $i++)
    {
    $char substr($string$i-11);
    $keychar substr($key, ($i strlen($key))-11);
    $char chr(ord($char)+ord($keychar));
    $result.=$char;
    }
    return 
    $result;
    }

    function 
    decrypt($string$key)
    {
    $result '';
    for(
    $i=1$i<=strlen($string); $i++)
    {
    $char substr($string$i-11);
    $keychar substr($key, ($i strlen($key))-11);
    $char chr(ord($char)-ord($keychar));
    $result.=$char;
    }
    return 
    $result;
    }
    //done with encrypt/decrypt functions...
    //

    //now just to show off how it works: 

    $creditCardNumber "5555-9854-8454-0012"//<- your CC number

    $encryptedCC encrypt($creditCardNumber$key); //<- your encrypted CC number

    $decrtyptedCC decrypt($encryptedCC$key); //<- and your decrypted CC number

    //some output
    echo <<<end
    Your credit card number is: $creditCardNumber
    <BR>
    Your encryption key is: $key
    <BR>
    Your encrypted CC is: $encryptedCC
    <BR>
    and now l've decrypted it: $decrtyptedCC
    end;

    //
    // I would suggest using a KEY that changes once a week or so at the very least
    // Good luck!
    //

    ?>
    Samantha Gram


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •