"Peter Beckman" <beckman@xxxxxxxxxxxxx> wrote in message news:20060105202254.X8551@xxxxxxxxxxxxxxxxxxxx > So I'm thinking about how to save credit card numbers in the DB, for > re-charging cards for subscriptions, new orders, etc. > > I'm also thinking about how to save passwords in the DB, not plaintext, > but > not one-way encrypted either. > > Any suggestions? How would I secure the database? I'm thinking some > abstract process in code, or something -- security through obscurity. Suggestions? Oh, I've got some of them: (1) Call VeriSign (just bought by PayPal) (2) Do NOT store credit card numbers/dates/ccid's anywhere. (yes, that ends in a PERIOD) (2B) Obviously you will need to store the credit card data for a brief while, so you can at least run the credit card. BUT, it shouldn't be stored for any longer than a few hours (See #3 below) (3) Using a service like VeriSign, when you get the credit card information, run a charge of that card immediately (maybe a $1 handling charge). This will give you a magic reference# assigned to that credit card data at the service. VeriSign calls this a PNRef (I think). You can then use this reference for all future charges to that same credit card. (4) Make sure to get the billing zip code and street address for the credit card. This reduces your cost per transaction. (5) Did I mention to NOT store credit card numbers? DanB -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
