credit card security
Posted on 2004-09-17
Not sure where to ask this, so I'll just ask here. My company has an online webstore, and we want to streamline the process of checking out. This includes "remembering" the customer's settings from the last time they purchased something on our store. We basically want the same functionality that Amazon.com provides its customers with the "1 click ordering". Everything is working out great, except for the credit card. I do not want to store credit cards on our server as I do not know how to do so securly. Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer. The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this? Can you think of any rules/laws that are being violated? Do you think this just plain bad practice? Do you have any better solutions?