credit card security
Hi,
Not sure where to ask this, so I'll just ask here. My company has an online webstore, and we want to streamline the process of checking out. This includes "remembering" the customer's settings from the last time they purchased something on our store. We basically want the same functionality that Amazon.com provides its customers with the "1 click ordering". Everything is working out great, except for the credit card. I do not want to store credit cards on our server as I do not know how to do so securly. Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer. The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this? Can you think of any rules/laws that are being violated? Do you think this just plain bad practice? Do you have any better solutions?
Thanks
Trevor
Not sure where to ask this, so I'll just ask here. My company has an online webstore, and we want to streamline the process of checking out. This includes "remembering" the customer's settings from the last time they purchased something on our store. We basically want the same functionality that Amazon.com provides its customers with the "1 click ordering". Everything is working out great, except for the credit card. I do not want to store credit cards on our server as I do not know how to do so securly. Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer. The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this? Can you think of any rules/laws that are being violated? Do you think this just plain bad practice? Do you have any better solutions?
Thanks
Trevor
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, that answers my question on whether or not to use cookies. Thank you.
Now can anyone just tell me what is the/a correct method of storing credit card numbers?
-Trevor
Now can anyone just tell me what is the/a correct method of storing credit card numbers?
-Trevor
> Now can anyone just tell me what is the/a correct method of storing credit card numbers?
difficult.
I'd not store the numbers on the server, for various reasons on the number itself (valid, owner, etc.), but most likely to prevent myself that someone somehow gets the numbers.
Design your application in that way that it has to entered each time after login.
It's obvious to say that you use SSL (as sevie said).
difficult.
I'd not store the numbers on the server, for various reasons on the number itself (valid, owner, etc.), but most likely to prevent myself that someone somehow gets the numbers.
Design your application in that way that it has to entered each time after login.
It's obvious to say that you use SSL (as sevie said).
ASKER
Yes, we're using SSL. Amazon.com and several other stores store the credit card number on their servers don't they? I'm all for entering the CC each time but my boss wants 1-click functionality... Is it just too much of a risk?
-Trevor
-Trevor
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Looks like I'm in over my head. I would like to eventually pursue being able to do this, but for now I think not. Thank you for your help.
-Trevor Hartman
-Trevor Hartman
Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer. The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this?
<
I steal *your* cookie, and 'cause your server is the only one to decrypt it in resonable time, I got a valid credit card number from *you*
I don't need to know the algorithm or strength, just the cookie :-)
Does this answer your question about security?
I.g. cookies are useless to transport/store confidential information.