Re: Credit Card encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On May 31, 2010, at 1:24 AM, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> wrote:

On Sun, May 30, 2010 at 03:30:28PM -0400, Phpster wrote:

<snip>


I work with some of the largest retailers in north America if not the
world, and I can confirm that the security measures taken to enforce
pci compliance are not something lightly undertaken.

If those entities choose to store the cc#s then they do the following:

1. Store the encrypted values on servers that are NOT web facing

Absolutely! If I were trying to do this on a web server, I *would* use a payment gateway. There's no way I could secure it adequately otherwise.


2. Use ridiculously long encryption keys ( well into the 1000s of
characters)

3. They also create a representative value that exists outside the
system that has to allow some basis of data mining.


Really as mentioned you don't want to do this. Especially if you have
no control over the servers.

I have complete control over the server this information is stored on,
including physical control. It is behind a NATed firewall and only
accessible to certain machines on my internal network. The only
personnel with access to the server are myself and my wife.

To be clear, we process credit cards MOTO, meaning we have no physical
access to the cards themselves. We use a small terminal which dials up
our payment processor to get approvals. The problem is that virtually
all of our credit card business is with the same customers and
recurring. So it's not feasible to call them every month or several
times per job to ask for a credit card number. This would aggravate my
customers. So I have to store the information one way or another, on 3x5
cards, in the computer or some way.

And it appears from all the replies that there is no other way to do it than to have a separate key or password for accessing just these credit
card numbers, and every time they must be accessed, the user must
provide this key, which would be in addition to the usual password for
that user.


Paul

--
Paul M. Foster

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


It sounds like a lot of the activity is subscription based, is that correct? Paypal does support that.

I would suggest looking thru the oci guidelines if you haven't done so already. The point there are essential requirements and should be enough for you to judge if you can be compliant with the rules.

Pci is a total PITA, and the fines are not worth it if you can't meet the requirements.

Bastien

Sent from my iPod

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux