On Wed, 02 Feb 2005 01:24:18 -0500, Angelo Zanetti <binc2@xxxxxxxxxx> wrote: > > Does this setup sound secure enough and a solution that can work? > What kind of encryption should I be using? > > Point out any areas where you think I might be missing something or > going wrong. Take Richard's advice and don't do it - Any decent Merchant Service Provider should give you a method of placing recurring charges, which would take most of the responsibility and liability out of your hands. If you're even thinking of storing credit card numbers you should have already read and be familiar with the PCI Data Security Standard. http://www.visaeurope.com/acceptingvisa/pdf/PCI_Data_Security_Standard_1_0.pdf You'll have added up the costs of not only building all that, but also the costs of maintaining it, the continuous monitoring, the (at least) quarterly vulnerability scans, incidence response plans etc. You should also know the risks of not following the cards security policies; last time I looked, Visa's compliance penalties were $50,000 for a first offence and $100,000 for subsequent offences, plus the risk of being permanently barred from holding a merchant account. You must also have considered what effect it would have on your business if you have to inform all your customers that their credit card details have been compromised. Storing card details is a high cost, high risk solution. Unless you've a *really* good business reason for doing so that you've not mentioned, it's not a good idea. -robin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
