Solved

credit card security

Posted on 2004-09-17
7
461 Views
Last Modified: 2013-11-18
Hi,

Not sure where to ask this, so I'll just ask here.  My company has an online webstore, and we want to streamline the process of checking out.  This includes "remembering" the customer's settings from the last time they purchased something on our store.  We basically want the same functionality that Amazon.com provides its customers with the "1 click ordering".  Everything is working out great, except for the credit card.  I do not want to store credit cards on our server as I do not know how to do so securly.  Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer.  The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this?  Can you think of any rules/laws that are being violated?  Do you think this just plain bad practice?  Do you have any better solutions?

Thanks

Trevor
0
Comment
Question by:trevorhartman
  • 3
  • 3
7 Comments
 
LVL 1

Assisted Solution

by:sevie
sevie earned 50 total points
ID: 12088046
- Use of secure connections using SSL to safeguard information when transmitted from web browser to your server (https://verisign.com/) and/or use certificates- http://GlobalSign.com for customer authorization
- Security controls to restrict access to databases housing personally identifying information
- Use of encryption for sensitive personal information, such as credit card numbers and user names
- Binding subcontractors by contractual technical and organizational measures to protect personal information
- Treating any personal information that may be contained in cookies with the same level of confidentiality as other information provide
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12090888
>
Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer.  The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this?
<

I steal *your* cookie, and 'cause your server is the only one to decrypt it in resonable time, I got a valid credit card number from *you*
I don't need to know the algorithm or strength, just the cookie :-)
Does this answer your question about security?

I.g. cookies are useless to transport/store confidential information.
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12091996
Yes, that answers my question on whether or not to use cookies.  Thank you.  

Now can anyone just tell me what is the/a correct method of storing credit card numbers?

-Trevor
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 51

Expert Comment

by:ahoffmann
ID: 12092658
> Now can anyone just tell me what is the/a correct method of storing credit card numbers?
difficult.

I'd not store the numbers on the server, for various reasons on the number itself (valid, owner, etc.), but most likely to prevent myself that someone somehow gets the numbers.
Design your application in that way that it has to entered each time after login.
It's obvious to say that you use SSL (as sevie said).
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12092673
Yes, we're using SSL.  Amazon.com and several other stores store the credit card number on their servers don't they?  I'm all for entering the CC each time but my boss wants 1-click functionality...  Is it just too much of a risk?

-Trevor
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 450 total points
ID: 12092740
> .. but my boss wants 1-click functionality...
ok, you're prepared for building an application with a sophisticated user registration ('cause of the CC), then a secure authetication scheme with sessionID where you can proof that each authenticated user is authorized to use the stored CC.
Then you have to enshure that all data you store comply to various "data privacy policies".
After that you enshure that the data is save, means no unauhorized person has access to it, either physical or electronical.
A firewall is still protecting your web server, then it needs to protect your database server too.
Your application is "web application security" aware, means that it has no vulnerabilities like XSS, SQL Injection, etc. etc.
Best you get a Web Application Firewall too, to be more save.
Do you need more protections hints for "1-click" ?
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12092760
Looks like I'm in over my head.  I would like to eventually pursue being able to do this, but for now I think not.  Thank you for your help.

-Trevor Hartman
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question