Encryption is a mandatory part of PCI compliance... -- itoctopus - http://www.itoctopus.com "Jim King" <mlists@xxxxxxxxxxxxxxx> wrote in message news:8AE50B49-6CD1-474A-857A-21F8BFC0D91C@xxxxxxxxxxxxxxxxxx > > > Does encrypting credit card information really do any good? You have > to store the keys somewhere to decrypt the data to use it. As we > have seen with blu-ray and HD DVD movies, the keys are the weak point > that are easily compromised. Besides, even encrypted data can be > decrypted by brute force. The strength of the encryption only > dictates how long it will take. Once you have the decryption key, > the strength of the encryption means nothing. Does anyone believe > that all these botnets are just for sending spam? You could use them > to create a huge supercomputer for code busting. > > I think it is better to protect you network and passwords. Use the > Visa/MC/Amex standards that the companies themselves publish. None > of them require encryption, by the way. > > > > On Apr 8, 2007, at 4:56 PM, itoctopus wrote: > > > Usually paying should be the last step, so you might probably want > > to review > > your workflow. > > Anyways, if you're storing the credit card in the database, then > > why are you > > also storing it in the session, you can just query the database for > > the > > credit card based on the session id (so you should also store the > > session id > > in that table). > > Since you're storing the credit card in the database, then you should > > encrypt the credit card (there are plenty of encryption/decrypting > > algorithms on the internet for PHP). > > Other than that, I think everything is fine, and your system should > > work > > smoothly. > > -- > > itoctopus - http://www.itoctopus.com > > <siavash1979@xxxxxxxxx> wrote in message > > news:1176056778.461933ca199b3@xxxxxxxxxxxxxxxxxxxx > >> > >> Hi All, > >> > >> I've got quite a bit or php experience, but I've never had to deal > >> with > > credit > >> card info before. Now for a property rental site, I'm adding a way > >> for > > users to > >> be able to fill out a form which also has some credit card info in > >> it. > >> > >> After they submit the form, there are a couple of more steps and > >> to pass > > credit > >> card info to the last page, I'm storing all the info in my > >> session. Now, I > > did > >> go and bought an SSL certificate, so the booking section of the > >> site is on > > SSL > >> (https). I'm just wondering if this is secure enough. as far as I > >> know, > > SSL > >> means connection to server is secured, so session variables should be > > secured > >> too. no? > >> > >> Also after I get credit card info, I'm storing them in a mysql > >> table until > > an > >> admin would log in to the site, see new reservations, charge them > >> manually > > and > >> contact the customer, and then that entry will be removed from my > >> database > > for > >> ever. Is this ok? or is it a really bad idea? originally the plan > >> was to > > send > >> an email to the admin with credit card info, but then I realized that > > emails > >> are very unsecure. so I decided to keep the info on the SSL > >> section of the > > site. > >> > >> just because I'm dealing with credit cards, I'm so afraid of doing > > anything > >> now. Any suggestions? or perhaps any links to how to make it all more > > secure? > >> > >> Thanks a lot in advance, > >> Siavash > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
