On May 31, 2010, at 1:24 AM, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx>
wrote:
On Sun, May 30, 2010 at 03:30:28PM -0400, Phpster wrote:
<snip>
I work with some of the largest retailers in north America if not the
world, and I can confirm that the security measures taken to enforce
pci compliance are not something lightly undertaken.
If those entities choose to store the cc#s then they do the
following:
1. Store the encrypted values on servers that are NOT web facing
Absolutely! If I were trying to do this on a web server, I *would*
use a
payment gateway. There's no way I could secure it adequately
otherwise.
2. Use ridiculously long encryption keys ( well into the 1000s of
characters)
3. They also create a representative value that exists outside the
system that has to allow some basis of data mining.
Really as mentioned you don't want to do this. Especially if you have
no control over the servers.
I have complete control over the server this information is stored on,
including physical control. It is behind a NATed firewall and only
accessible to certain machines on my internal network. The only
personnel with access to the server are myself and my wife.
To be clear, we process credit cards MOTO, meaning we have no physical
access to the cards themselves. We use a small terminal which dials up
our payment processor to get approvals. The problem is that virtually
all of our credit card business is with the same customers and
recurring. So it's not feasible to call them every month or several
times per job to ask for a credit card number. This would aggravate my
customers. So I have to store the information one way or another, on
3x5
cards, in the computer or some way.
And it appears from all the replies that there is no other way to do
it
than to have a separate key or password for accessing just these
credit
card numbers, and every time they must be accessed, the user must
provide this key, which would be in addition to the usual password for
that user.
Paul
--
Paul M. Foster
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
It sounds like a lot of the activity is subscription based, is that
correct? Paypal does support that.
I would suggest looking thru the oci guidelines if you haven't done so
already. The point there are essential requirements and should be
enough for you to judge if you can be compliant with the rules.
Pci is a total PITA, and the fines are not worth it if you can't meet
the requirements.
Bastien
Sent from my iPod
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
