Did you actually SNIP the "document[ation] how it can be done safely for all the world to see and learn!" ??? Or are you saying go buy this book? -----Original Message----- From: Peter Beckman [mailto:beckman@xxxxxxxxxxxxx] Sent: Friday, January 06, 2006 10:54 PM To: Neil Smith [MVP, Digital media] Cc: php-db@xxxxxxxxxxxxx Subject: Re: Storing Credit Cards, Passwords, Securely, two-wayencryption On Fri, 6 Jan 2006, Neil Smith [MVP, Digital media] wrote: >> Peter Beckman wrote: >> So I'm thinking about how to save credit card numbers in the DB, for >> re-charging cards for subscriptions, new orders, etc. >> >> Yes yes, lawsuits, scary, etc. > > I'm glad you're so blase about this and the threat of your business going Not blase -- just sick of hearing "don't do it" "you'll get sued" "impossible" "what's wrong with you" I want to secure this information, responsibly. How? (You answer this below) > Security by obscurity is a myth. I believe you -- and if obscurity is a myth, let's document how it can be done safely for all the world to see and learn! > *DO NOT* store any credit card numbers on any publically accessible > system. Ever. Period. Sometimes when questions are asked a background of the knowledge of the poster is not given. I would never do that. A server that is connected to the internet directly storing credit cards is asking for a lawsuit. It's got a sign with "please hack me" on it. > OK now to the candy : I've had this book a while, and it's one of the most > insightful and well researched (from experience) books on security I've ever > read. In fact - so good I'm going to go to the trouble to retype an excerpt > of a section called "One-Way Credit Card Data Path for Top Security" > > (Bob Toxen) have come up with the concept of a one-way credit card data path. Now THAT is exactly what I was looking for -- THANKS! I'll go get the book. > (snipped section about spot welded steel pipes encasing LAN cable !) *laugh* That might be a bit of overkill... but I get the idea. > The CC server then contacts the processing bank through the private network > to charge the amt, store the authorisastion number if successful and returns > either "Success" or an appropriate error message Obviously most CC auths are via the 'net + SSL, private networks don't apply (and they are kind of cost prohibitive). If you have a router/firewall/ipfw between your CC and the 'net, blocking incoming but allowing outgoing to your cc auth host ip(s), is that good enough? What else can be done? > As Bob's book is so bloody good, here's the ASIN for it in case you want > to read all 650 pages of good advice ;-) > http://www.amazon.com/gp/product/0130464562/qid=1136589506/sr=8-1/ref=pd_bbs _1/104-3174210-9795945?n=507846 Thank you Neil -- sold! Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@xxxxxxxxxxxxx http://www.purplecow.com/ --------------------------------------------------------------------------- -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
