Ok I know credit cards are a security issue to store. Enough Said on that.
To save client headaches and for client ease the company has decided to keep that info in the DB.
I've been reading about AES_ENCRYPT AES_DECRYPT
I have seen different opinions on what type field I should use. VARCHAR or BLOB or TINYBLOB. If VARCHAR it needs to be bigger than the size of the credit card number. CC is 16 digits and the encryption makes it 22.
What is the best way to store the key variable? It seems to me that if somebody hacks the server they would get that variable as well. Which would let them unlock the card numbers. Could I host the key on seperate server. I guess If it is down that would be a problem... But not as big a problem as all the client card numbers getting out. ;-)
For internal fraud the only time a sales person can see the customers card number is when they first enter it. After that it only displays the last 4 digits to the sales person so they can veriy the correct card with the customer.
Google has provided me with plenty of problem cases with decrypting. However it seems that most of these problems were with encrypting and decrypting text. Since these are numbers that are always the same length I hope to avoid that problem. Any thoughts on that?
Any general opinions other than....Don't store credit cards or Buy this software... would be appreciated.