Mcrypt not decrypting entire credit card number occasionally - decrypts first 8 numbers

We are using Mcrypt to encrypt our credit card numbers first to binary and then to hex.  The hex numbers are stored in a mySQL database.  This is fairly new and all has gone well except for one credit card number that would not decrypt.  The first eight numbers decrypted fine but the last eight look like jibberish.  Why would this not work on all numbers?  I did change the keycode and then it worked fine but the old key code worked on the rest of the numbers so I am not sure how this works.  I have attached my code.  This is done in Filemaker using a php plugin so some of the code references are for Filemaker.   Suggestions?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It is really not a good idea to store credit card data on your server even if encrypted.
If the server got broken into and the the encryption algorithm code used to encrypt the data is there also, then it can be easily determined how to decrypt the data.
I am guessing you are also storing the key used to decrypt on the server as well. Really Bad Idea.
It would be trivial to any knowledgeable malicious user to decrypt all the data if that were the case.
If you are very confident and technically knowledgeable with PCI DSS security practices, then you would know it is a very bad idea to do this.

Use this guide to help understand what good data handling standards consist of.

If you are looking to safely store credit card and customer info (which you should), then I will strongly suggest storing it on a 3rd party server at using their new Customer Information Manager (CIM). This is exactly what they designed it for.
It will keep you from putting your customers' data at risk.

I also wrote a php class for the CIM if you are interested.


Just some helpful advice.
tammyfAuthor Commented:
Thanks I appreciate the suggestions however we have to store the encrypted card number since we do not charge the card immediately.   We use to charge the card.  There are two parts.  The encrypted number goes into a mySQL database which gets deleted after it is transferred to an internal database.  The card number gets decrypted internally so it can go through and then destroyed.  We have a company that scans our servers and gives it blessings (for PCI compliance) for security.  I am no expert (obviously) but the only failing issue we have right now is that they want our server to have PHP 5.2.6 instead of 5.2.4.

The other thing is this is a small company.  Having to have our web code rewritten to use a third party to store this information would be a burden.  I will however look into additional services with  Thanks for the suggestion.  I am almost thinking we should go back to checks only since it is getting to be such a burden to accept credit cards!

I still need to know why mcrypt is failing partially.
No problem. I will let someone else handle that question.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Tim HolmanCommented:
If the encryption process was broken, you wouldn't get any relevant information back at all.  It would ALL be jibberish and not just the last 8 characters.  I would hazard a guess that your BIN <> HEX conversion process was causing this.
Also bear in mind that not all PANs are 16 chars - I thikn Amex has 14 digits, Diners 12, which may screw up the process somewhere along the line.
I'd question why you're moving from BIN to HEX as this potentially takes up more space and adds another processing step that could marr performance?
Last, but not least, you say you have to store the numbers as you charge immediately?  I was wondering why this is?  Most payment SPs faciliate repeat billing by giving you a payment type code of some sort you can use in your application, but generally I'd say take the money as soon as you can - if you delay billing then this opens a window for fraudulent use?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tammyfAuthor Commented:

Thanks for your comment.  

Two things.  We have to move from bin to hex because we had a problem bringing in bin to Filemaker from MySql database and trying to decrypt.  Filemaker won't recognize blob fields and there were some character issues that were resolved after going to hex.  Second, we cannot charge the card immediately since we don't know the final cost.  Therefore we have to store this encrypted data.  I realize it is not a good idea to store anything but at this point we have no other choice.  I am looking to storing it with but I have to have a way to charge the card once we have the cost.
Tim HolmanCommented:
I'm just wondering what kind of environment is this - I've done work with everything from in-flight charging systems to online gaming and I've not come across a situation where there's really a business need to authorise the card for a certain amount and do variable billing later, unless we're talking a subscription system?  There are payment type codes to handle all eventualities so that you can avoid credit card data storage.
I've been working pretty much full time on PCI DSS and securing credit data for the past few years now - I'm sure there's a viable alternative?
tammyfAuthor Commented:
I think I need to clarify something.  We are not charging the card at all  when we take the order.  We are taking the credit card number, encrypting it and storing it until we know the actual charge.  We then decrypt and send it to to charge the card.  There is no authorization up front.  My problem has been on only a couple of transactions where I could not decrypt the card and wondered if my script had a problem.
Tim HolmanCommented:
This is generally bad practice and you will be caught by PCI DSS.  Now PCI DSS is not just quarterly scans - you need to complete a Self Assessment Questionnairre (truthfully) to your acquiring bank, part of which is security around encrypting credit cards and protecting your infrastructure with an IDS/IPS, web application firewall, regular penetration tests, central event logging, file integrity monitoring....  I could go on, but point is you're digging an expensive hole by even contemplating the storage of cardholder data on your systems!  ;)
From a business perspective, I would recommend NOT storing the card number (you don't need to), rather than paying $25k+ investing in suitable protection.
I'm surprised a PHP/Filemaker guru hasn't picked this up yet....  PHP code all looks OK, but Filemaker elements I'm not really sure about, but thoroughly recommend you avoid storing card numbers in this way.
tammyfAuthor Commented:
I am aware of all of this and we are getting in compliance and have already passed the server tests and are completing the questionnaire.  What I want is a solution to the decryption process not a lecture.  There is a problem with the code as I cannot always decrypt the numbers.  If we don't store them, they have to be stored somewhere period.  We cannot charge the card immediately as we do not have the cost.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.