On Tue, Jun 01, 2010 at 04:17:21PM +0200, Peter Lind wrote: > On 1 June 2010 15:58, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> wrote: > > On Tue, Jun 01, 2010 at 09:52:54AM +0200, Peter Lind wrote: > > > >> Just wondering: seems there's a bit of a misunderstanding going on > >> here. Are you talking about storing credit card information in a way > >> such that customers can do online transactions without entering that > >> information? Or are you talking about storing this information so your > >> own company can fill in the details on a monthly basis? > >> If 1) then the above points apply and you should not store the data, > >> period. If 2) then I would assume the situation is somewhat different > >> - though, not knowing the laws from the US I wouldn't really know. > > > > No to #1, yes to #2. > > > > As for #1, companies like Godaddy do store this information, so I know > > it can be safely done. > > As I noted above: the question is not whether it can be done, the > question is whether you want to be the next critter in the limelight > because *you* couldn't do it. > However, glad to hear you're not looking to do this. That brings up > the next question though: what's this got to do with PHP? If I was to > store any information like this, I certainly wouldn't code my own > storage system with built-in encryption. I would rely on one of the > many adequate cryptography programs available, made specifically for > encrypting and storing data safely. It's got to do with PHP because all the code which handles all this customer data, etc., is PHP. (It's all internal to my network.) You could use mcrypt_*() functions to encrypt the credit card numbers, no problem. Some of the methods of encryption possible with mcrypt are very strong. The original question was if there was an alternative to forcing the user who wants to access the CC number to supply a separate password in order to access the information. The apparent answer (given the original constraints) is no, there is no alternative. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php