?
Solved

credit card security

Posted on 2004-09-17
7
Medium Priority
?
463 Views
Last Modified: 2013-11-18
Hi,

Not sure where to ask this, so I'll just ask here.  My company has an online webstore, and we want to streamline the process of checking out.  This includes "remembering" the customer's settings from the last time they purchased something on our store.  We basically want the same functionality that Amazon.com provides its customers with the "1 click ordering".  Everything is working out great, except for the credit card.  I do not want to store credit cards on our server as I do not know how to do so securly.  Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer.  The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this?  Can you think of any rules/laws that are being violated?  Do you think this just plain bad practice?  Do you have any better solutions?

Thanks

Trevor
0
Comment
Question by:trevorhartman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 1

Assisted Solution

by:sevie
sevie earned 200 total points
ID: 12088046
- Use of secure connections using SSL to safeguard information when transmitted from web browser to your server (https://verisign.com/) and/or use certificates- http://GlobalSign.com for customer authorization
- Security controls to restrict access to databases housing personally identifying information
- Use of encryption for sensitive personal information, such as credit card numbers and user names
- Binding subcontractors by contractual technical and organizational measures to protect personal information
- Treating any personal information that may be contained in cookies with the same level of confidentiality as other information provide
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12090888
>
Instead, we were thinking of encrypting the info with a 512 byte key that is stored on our server, and saving the encrypted credit card info in a cookie on their computer.  The only way to decrypt it would be with the key that is stored on our server... What do you guys think of this?
<

I steal *your* cookie, and 'cause your server is the only one to decrypt it in resonable time, I got a valid credit card number from *you*
I don't need to know the algorithm or strength, just the cookie :-)
Does this answer your question about security?

I.g. cookies are useless to transport/store confidential information.
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12091996
Yes, that answers my question on whether or not to use cookies.  Thank you.  

Now can anyone just tell me what is the/a correct method of storing credit card numbers?

-Trevor
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 12092658
> Now can anyone just tell me what is the/a correct method of storing credit card numbers?
difficult.

I'd not store the numbers on the server, for various reasons on the number itself (valid, owner, etc.), but most likely to prevent myself that someone somehow gets the numbers.
Design your application in that way that it has to entered each time after login.
It's obvious to say that you use SSL (as sevie said).
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12092673
Yes, we're using SSL.  Amazon.com and several other stores store the credit card number on their servers don't they?  I'm all for entering the CC each time but my boss wants 1-click functionality...  Is it just too much of a risk?

-Trevor
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1800 total points
ID: 12092740
> .. but my boss wants 1-click functionality...
ok, you're prepared for building an application with a sophisticated user registration ('cause of the CC), then a secure authetication scheme with sessionID where you can proof that each authenticated user is authorized to use the stored CC.
Then you have to enshure that all data you store comply to various "data privacy policies".
After that you enshure that the data is save, means no unauhorized person has access to it, either physical or electronical.
A firewall is still protecting your web server, then it needs to protect your database server too.
Your application is "web application security" aware, means that it has no vulnerabilities like XSS, SQL Injection, etc. etc.
Best you get a Web Application Firewall too, to be more save.
Do you need more protections hints for "1-click" ?
0
 
LVL 8

Author Comment

by:trevorhartman
ID: 12092760
Looks like I'm in over my head.  I would like to eventually pursue being able to do this, but for now I think not.  Thank you for your help.

-Trevor Hartman
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question