Re: keeping credit card info in session

Jim King <mlists@xxxxxxxxxxxxxxx> · Tue, 10 Apr 2007 09:42:25 -0400

itocopus:

I stand corrected!

This document is the PCI self-assessment questionnaire for smaller  
merchants:

https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf

It lays out the requirements in detail (including encryption/ 
truncation) in one place and should answer all of the OP's  
questions.  I'll be updating my systems to comply.

Thanks!

-Jim

On Apr 10, 2007, at 9:18 AM, itoctopus wrote:

Encryption is a mandatory part of PCI compliance...

--
itoctopus - http://www.itoctopus.com
"Jim King" <mlists@xxxxxxxxxxxxxxx> wrote in message
news:8AE50B49-6CD1-474A-857A-21F8BFC0D91C@xxxxxxxxxxxxxxxxxx

Does encrypting credit card information really do any good?  You have
to store the keys somewhere to decrypt the data to use it.  As we
have seen with blu-ray and HD DVD movies, the keys are the weak point
that are easily compromised.  Besides, even encrypted data can be
decrypted by brute force.  The strength of the encryption only
dictates how long it will take.  Once you have the decryption key,
the strength of the encryption means nothing.  Does anyone believe
that all these botnets are just for sending spam?  You could use them
to create a huge supercomputer for code busting.

I think it is better to protect you network and passwords.  Use the
Visa/MC/Amex standards that the companies themselves publish.  None
of them require encryption, by the way.

On Apr 8, 2007, at 4:56 PM, itoctopus wrote:

Usually paying should be the last step, so you might probably want
to review
your workflow.
Anyways, if you're storing the credit card in the database, then
why are you
also storing it in the session, you can just query the database for
the
credit card based on the session id (so you should also store the
session id
in that table).
Since you're storing the credit card in the database, then you  
should
encrypt the credit card (there are plenty of encryption/decrypting
algorithms on the internet for PHP).
Other than that, I think everything is fine, and your system should
work
smoothly.
--
itoctopus - http://www.itoctopus.com
<siavash1979@xxxxxxxxx> wrote in message
news:1176056778.461933ca199b3@xxxxxxxxxxxxxxxxxxxx

Hi All,

I've got quite a bit or php experience, but I've never had to deal
with
credit
card info before. Now for a property rental site, I'm adding a way
for
users to
be able to fill out a form which also has some credit card info in
it.

After they submit the form, there are a couple of more steps and
to pass
credit
card info to the last page, I'm storing all the info in my
session. Now, I
did
go and bought an SSL certificate, so the booking section of the
site is on
SSL
(https). I'm just wondering if this is secure enough. as far as I
know,
SSL
means connection to server is secured, so session variables  
should be
secured
too. no?

Also after I get credit card info, I'm storing them in a mysql
table until
an
admin would log in to the site, see new reservations, charge them
manually
and
contact the customer, and then that entry will be removed from my
database
for
ever. Is this ok? or is it a really bad idea? originally the plan
was to
send
an email to the admin with credit card info, but then I realized  
that
emails
are very unsecure. so I decided to keep the info on the SSL
section of the
site.

just because I'm dealing with credit cards, I'm so afraid of doing
anything
now. Any suggestions? or perhaps any links to how to make it all  
more
secure?

Thanks a lot in advance,
Siavash

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php