[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

credit card security

Posted on 2004-09-17
7
Medium Priority
?
464 Views
Last Modified: 2013-11-18
Hi,

Not sure where to ask this, so I'll just ask here.  My company has an online webstore, and we want to streamline the process of checking out.  This includes "remembering" the customer's settings from the last time they purchased something on our store.  We basically want the same functionality that Amazon.com provides its customers with the "1 click ordering".  Everything is working out great, except for the credit card.  I do not want to store credit cards on our server as I do not know how to do so securly.  Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer.  The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this?  Can you think of any rules/laws that are being violated?  Do you think this just plain bad practice?  Do you have any better solutions?

Thanks

Trevor
0
Comment
Question by:trevorhartman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 1

Assisted Solution

by:sevie
sevie earned 200 total points
ID: 12088046
- Use of secure connections using SSL to safeguard information when transmitted from web browser to your server (https://verisign.com/) and/or use certificates- http://GlobalSign.com for customer authorization
- Security controls to restrict access to databases housing personally identifying information
- Use of encryption for sensitive personal information, such as credit card numbers and user names
- Binding subcontractors by contractual technical and organizational measures to protect personal information
- Treating any personal information that may be contained in cookies with the same level of confidentiality as other information provide
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12090888
>
Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer.  The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this?
<

I steal *your* cookie, and 'cause your server is the only one to decrypt it in resonable time, I got a valid credit card number from *you*
I don't need to know the algorithm or strength, just the cookie :-)
Does this answer your question about security?

I.g. cookies are useless to transport/store confidential information.
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12091996
Yes, that answers my question on whether or not to use cookies.  Thank you.  

Now can anyone just tell me what is the/a correct method of storing credit card numbers?

-Trevor
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 51

Expert Comment

by:ahoffmann
ID: 12092658
> Now can anyone just tell me what is the/a correct method of storing credit card numbers?
difficult.

I'd not store the numbers on the server, for various reasons on the number itself (valid, owner, etc.), but most likely to prevent myself that someone somehow gets the numbers.
Design your application in that way that it has to entered each time after login.
It's obvious to say that you use SSL (as sevie said).
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12092673
Yes, we're using SSL.  Amazon.com and several other stores store the credit card number on their servers don't they?  I'm all for entering the CC each time but my boss wants 1-click functionality...  Is it just too much of a risk?

-Trevor
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1800 total points
ID: 12092740
> .. but my boss wants 1-click functionality...
ok, you're prepared for building an application with a sophisticated user registration ('cause of the CC), then a secure authetication scheme with sessionID where you can proof that each authenticated user is authorized to use the stored CC.
Then you have to enshure that all data you store comply to various "data privacy policies".
After that you enshure that the data is save, means no unauhorized person has access to it, either physical or electronical.
A firewall is still protecting your web server, then it needs to protect your database server too.
Your application is "web application security" aware, means that it has no vulnerabilities like XSS, SQL Injection, etc. etc.
Best you get a Web Application Firewall too, to be more save.
Do you need more protections hints for "1-click" ?
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12092760
Looks like I'm in over my head.  I would like to eventually pursue being able to do this, but for now I think not.  Thank you for your help.

-Trevor Hartman
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
How does someone stay on the right and legal side of the hacking world?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question