Solved

credit card security

Posted on 2004-09-17
7
451 Views
Last Modified: 2013-11-18
Hi,

Not sure where to ask this, so I'll just ask here.  My company has an online webstore, and we want to streamline the process of checking out.  This includes "remembering" the customer's settings from the last time they purchased something on our store.  We basically want the same functionality that Amazon.com provides its customers with the "1 click ordering".  Everything is working out great, except for the credit card.  I do not want to store credit cards on our server as I do not know how to do so securly.  Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer.  The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this?  Can you think of any rules/laws that are being violated?  Do you think this just plain bad practice?  Do you have any better solutions?

Thanks

Trevor
0
Comment
Question by:trevorhartman
  • 3
  • 3
7 Comments
 
LVL 1

Assisted Solution

by:sevie
sevie earned 50 total points
ID: 12088046
- Use of secure connections using SSL to safeguard information when transmitted from web browser to your server (https://verisign.com/) and/or use certificates- http://GlobalSign.com for customer authorization
- Security controls to restrict access to databases housing personally identifying information
- Use of encryption for sensitive personal information, such as credit card numbers and user names
- Binding subcontractors by contractual technical and organizational measures to protect personal information
- Treating any personal information that may be contained in cookies with the same level of confidentiality as other information provide
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12090888
>
Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer.  The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this?
<

I steal *your* cookie, and 'cause your server is the only one to decrypt it in resonable time, I got a valid credit card number from *you*
I don't need to know the algorithm or strength, just the cookie :-)
Does this answer your question about security?

I.g. cookies are useless to transport/store confidential information.
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12091996
Yes, that answers my question on whether or not to use cookies.  Thank you.  

Now can anyone just tell me what is the/a correct method of storing credit card numbers?

-Trevor
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 12092658
> Now can anyone just tell me what is the/a correct method of storing credit card numbers?
difficult.

I'd not store the numbers on the server, for various reasons on the number itself (valid, owner, etc.), but most likely to prevent myself that someone somehow gets the numbers.
Design your application in that way that it has to entered each time after login.
It's obvious to say that you use SSL (as sevie said).
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12092673
Yes, we're using SSL.  Amazon.com and several other stores store the credit card number on their servers don't they?  I'm all for entering the CC each time but my boss wants 1-click functionality...  Is it just too much of a risk?

-Trevor
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 450 total points
ID: 12092740
> .. but my boss wants 1-click functionality...
ok, you're prepared for building an application with a sophisticated user registration ('cause of the CC), then a secure authetication scheme with sessionID where you can proof that each authenticated user is authorized to use the stored CC.
Then you have to enshure that all data you store comply to various "data privacy policies".
After that you enshure that the data is save, means no unauhorized person has access to it, either physical or electronical.
A firewall is still protecting your web server, then it needs to protect your database server too.
Your application is "web application security" aware, means that it has no vulnerabilities like XSS, SQL Injection, etc. etc.
Best you get a Web Application Firewall too, to be more save.
Do you need more protections hints for "1-click" ?
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12092760
Looks like I'm in over my head.  I would like to eventually pursue being able to do this, but for now I think not.  Thank you for your help.

-Trevor Hartman
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Every business owner understands the significance of online customer reviews and the impact it can have on sales and revenues. With technology advancing at such a rapid pace, getting online reviews has never been easier, especially when many regions…
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now