On 6/5/07, Peter Childs <peterachilds@xxxxxxxxx> wrote:
On 05/06/07, Andrew Sullivan <ajs@xxxxxxxxxxxxxxx> wrote: > On Tue, Jun 05, 2007 at 09:28:00AM -0500, Ron Johnson wrote: > > > > If he is a CC customer, the system (which I am DBA of) bills his > > card directly, saving the customer much time and effort. > > So surely what you have is a completely separate system that has > exactly one interface to it, that is signaled to provide a > transaction number and that only ever returns such a transaction > number to the "online" system, and that is very tightly secured, > right? > > It is possible to make trade-offs in an intelligent manner, for sure, > but you sure as heck don't want that kind of data stored online with > simple reversible encryption. Unfortunately you still need to store them somewhere, and all systems can be hacked. Yes its a good idea to store them on a separate system and this is an important part of designing your systems to ensure that the simple user interface is somehow limited.
If you really need the number in cleartext you should use public-key encryption, either via pgcrypto or in application. Thus you can have only public-key in public database, credit-card numbers are encrypted with it, later actual billing happens in separate, highly secured system that has corresponding private key available to decrypt the data. -- marko
