View Full Version : Encrypt creditcard number and store in DB

01-28-2003, 06:17 PM
My client want to store and retrieve creditcard number in SQL server, and they want encrypt that info.

But I have not done any encryption before. Can someone help me out, give me some guide line and advices?

Thank you for all your helps

01-28-2003, 07:15 PM
I personally would not advise storing credit card info online, if it is necessary use the last 4 digits.


01-29-2003, 12:40 AM
Originally posted by scroots
I personally would not advise storing credit card info online

I agree. Amazon used to do it until they got hacked. Its just a too large of a security risk to store such sensitive information online.

01-29-2003, 02:41 AM
Actually I'll third that opinion... I would leave credit card number storing/authorization up to the company that you process credit cards with - i.e. authorize.net, cybersource, etc.

They have interfaces already created where your client can view credit card transactions, refund, charge, etc.

There's no reason to put your company at risk by storing sensitive information if you don't have to (and possibly subjecting that information to hackers, in the case your server is compromised) - that's the job of the companies that process this information routinely. ;)

As someone who regularly shops online, I am reassured when a company asks me to re-supply my CC information if there was a glitch or whatnot, since they don't store it. :D

01-29-2003, 08:54 PM
Same -- do not store the credit card info; only store the minimal (last four or five digits of card number and card type is usually enough) for auditing purposes.

The only exception to this rule would be a periodic billing application where you bill accounts monthly, quarterly, etc. In this instance, I would recommend against having the data available for any purpose via the web -- an internal system only. Also, in this case you are required to encrypt the information to hide it from prying eyes, not hackers (even though you should do your best to prevent hacking). If a hacker got this far, your data is gone anyway because he/she would most likely also have access to your encryption key(s).