Solved

credit card security

Posted on 2004-09-17
7
459 Views
Last Modified: 2013-11-18
Hi,

Not sure where to ask this, so I'll just ask here.  My company has an online webstore, and we want to streamline the process of checking out.  This includes "remembering" the customer's settings from the last time they purchased something on our store.  We basically want the same functionality that Amazon.com provides its customers with the "1 click ordering".  Everything is working out great, except for the credit card.  I do not want to store credit cards on our server as I do not know how to do so securly.  Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer.  The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this?  Can you think of any rules/laws that are being violated?  Do you think this just plain bad practice?  Do you have any better solutions?

Thanks

Trevor
0
Comment
Question by:trevorhartman
  • 3
  • 3
7 Comments
 
LVL 1

Assisted Solution

by:sevie
sevie earned 50 total points
ID: 12088046
- Use of secure connections using SSL to safeguard information when transmitted from web browser to your server (https://verisign.com/) and/or use certificates- http://GlobalSign.com for customer authorization
- Security controls to restrict access to databases housing personally identifying information
- Use of encryption for sensitive personal information, such as credit card numbers and user names
- Binding subcontractors by contractual technical and organizational measures to protect personal information
- Treating any personal information that may be contained in cookies with the same level of confidentiality as other information provide
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12090888
>
Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer.  The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this?
<

I steal *your* cookie, and 'cause your server is the only one to decrypt it in resonable time, I got a valid credit card number from *you*
I don't need to know the algorithm or strength, just the cookie :-)
Does this answer your question about security?

I.g. cookies are useless to transport/store confidential information.
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12091996
Yes, that answers my question on whether or not to use cookies.  Thank you.  

Now can anyone just tell me what is the/a correct method of storing credit card numbers?

-Trevor
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 12092658
> Now can anyone just tell me what is the/a correct method of storing credit card numbers?
difficult.

I'd not store the numbers on the server, for various reasons on the number itself (valid, owner, etc.), but most likely to prevent myself that someone somehow gets the numbers.
Design your application in that way that it has to entered each time after login.
It's obvious to say that you use SSL (as sevie said).
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12092673
Yes, we're using SSL.  Amazon.com and several other stores store the credit card number on their servers don't they?  I'm all for entering the CC each time but my boss wants 1-click functionality...  Is it just too much of a risk?

-Trevor
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 450 total points
ID: 12092740
> .. but my boss wants 1-click functionality...
ok, you're prepared for building an application with a sophisticated user registration ('cause of the CC), then a secure authetication scheme with sessionID where you can proof that each authenticated user is authorized to use the stored CC.
Then you have to enshure that all data you store comply to various "data privacy policies".
After that you enshure that the data is save, means no unauhorized person has access to it, either physical or electronical.
A firewall is still protecting your web server, then it needs to protect your database server too.
Your application is "web application security" aware, means that it has no vulnerabilities like XSS, SQL Injection, etc. etc.
Best you get a Web Application Firewall too, to be more save.
Do you need more protections hints for "1-click" ?
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12092760
Looks like I'm in over my head.  I would like to eventually pursue being able to do this, but for now I think not.  Thank you for your help.

-Trevor Hartman
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question