Solved

Mcrypt not decrypting entire credit card number occasionally - decrypts first 8 numbers

Posted on 2008-06-21
9
778 Views
Last Modified: 2013-12-12
We are using Mcrypt to encrypt our credit card numbers first to binary and then to hex.  The hex numbers are stored in a mySQL database.  This is fairly new and all has gone well except for one credit card number that would not decrypt.  The first eight numbers decrypted fine but the last eight look like jibberish.  Why would this not work on all numbers?  I did change the keycode and then it worked fine but the old key code worked on the rest of the numbers so I am not sure how this works.  I have attached my code.  This is done in Filemaker using a php plugin so some of the code references are for Filemaker.   Suggestions?
mcrypt.doc
0
Comment
Question by:tammyf
  • 4
  • 3
  • 2
9 Comments
 
LVL 10

Expert Comment

by:ray-solomon
Comment Utility
It is really not a good idea to store credit card data on your server even if encrypted.
If the server got broken into and the the encryption algorithm code used to encrypt the data is there also, then it can be easily determined how to decrypt the data.
I am guessing you are also storing the key used to decrypt on the server as well. Really Bad Idea.
It would be trivial to any knowledgeable malicious user to decrypt all the data if that were the case.
If you are very confident and technically knowledgeable with PCI DSS security practices, then you would know it is a very bad idea to do this.

Use this guide to help understand what good data handling standards consist of.
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

If you are looking to safely store credit card and customer info (which you should), then I will strongly suggest storing it on a 3rd party server at Authorize.net using their new Customer Information Manager (CIM). This is exactly what they designed it for.
It will keep you from putting your customers' data at risk.
http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/

I also wrote a php class for the CIM if you are interested.
http://www.bigdoghost.com/blog/authorizenet-cim/

:-)

Just some helpful advice.
0
 

Author Comment

by:tammyf
Comment Utility
Thanks I appreciate the suggestions however we have to store the encrypted card number since we do not charge the card immediately.   We use authorize.net to charge the card.  There are two parts.  The encrypted number goes into a mySQL database which gets deleted after it is transferred to an internal database.  The card number gets decrypted internally so it can go through authorize.net and then destroyed.  We have a company that scans our servers and gives it blessings (for PCI compliance) for security.  I am no expert (obviously) but the only failing issue we have right now is that they want our server to have PHP 5.2.6 instead of 5.2.4.

The other thing is this is a small company.  Having to have our web code rewritten to use a third party to store this information would be a burden.  I will however look into additional services with authorize.net.  Thanks for the suggestion.  I am almost thinking we should go back to checks only since it is getting to be such a burden to accept credit cards!

I still need to know why mcrypt is failing partially.
0
 
LVL 10

Expert Comment

by:ray-solomon
Comment Utility
No problem. I will let someone else handle that question.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 125 total points
Comment Utility
If the encryption process was broken, you wouldn't get any relevant information back at all.  It would ALL be jibberish and not just the last 8 characters.  I would hazard a guess that your BIN <> HEX conversion process was causing this.
Also bear in mind that not all PANs are 16 chars - I thikn Amex has 14 digits, Diners 12, which may screw up the process somewhere along the line.
I'd question why you're moving from BIN to HEX as this potentially takes up more space and adds another processing step that could marr performance?
Last, but not least, you say you have to store the numbers as you charge immediately?  I was wondering why this is?  Most payment SPs faciliate repeat billing by giving you a payment type code of some sort you can use in your application, but generally I'd say take the money as soon as you can - if you delay billing then this opens a window for fraudulent use?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:tammyf
Comment Utility
Tim,

Thanks for your comment.  

Two things.  We have to move from bin to hex because we had a problem bringing in bin to Filemaker from MySql database and trying to decrypt.  Filemaker won't recognize blob fields and there were some character issues that were resolved after going to hex.  Second, we cannot charge the card immediately since we don't know the final cost.  Therefore we have to store this encrypted data.  I realize it is not a good idea to store anything but at this point we have no other choice.  I am looking to storing it with authorize.net but I have to have a way to charge the card once we have the cost.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
I'm just wondering what kind of environment is this - I've done work with everything from in-flight charging systems to online gaming and I've not come across a situation where there's really a business need to authorise the card for a certain amount and do variable billing later, unless we're talking a subscription system?  There are payment type codes to handle all eventualities so that you can avoid credit card data storage.
I've been working pretty much full time on PCI DSS and securing credit data for the past few years now - I'm sure there's a viable alternative?
0
 

Author Comment

by:tammyf
Comment Utility
I think I need to clarify something.  We are not charging the card at all  when we take the order.  We are taking the credit card number, encrypting it and storing it until we know the actual charge.  We then decrypt and send it to authorize.net to charge the card.  There is no authorization up front.  My problem has been on only a couple of transactions where I could not decrypt the card and wondered if my script had a problem.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
This is generally bad practice and you will be caught by PCI DSS.  Now PCI DSS is not just quarterly scans - you need to complete a Self Assessment Questionnairre (truthfully) to your acquiring bank, part of which is security around encrypting credit cards and protecting your infrastructure with an IDS/IPS, web application firewall, regular penetration tests, central event logging, file integrity monitoring....  I could go on, but point is you're digging an expensive hole by even contemplating the storage of cardholder data on your systems!  ;)
From a business perspective, I would recommend NOT storing the card number (you don't need to), rather than paying $25k+ investing in suitable protection.
I'm surprised a PHP/Filemaker guru hasn't picked this up yet....  PHP code all looks OK, but Filemaker elements I'm not really sure about, but thoroughly recommend you avoid storing card numbers in this way.
0
 

Author Comment

by:tammyf
Comment Utility
I am aware of all of this and we are getting in compliance and have already passed the server tests and are completing the questionnaire.  What I want is a solution to the decryption process not a lecture.  There is a problem with the code as I cannot always decrypt the numbers.  If we don't store them, they have to be stored somewhere period.  We cannot charge the card immediately as we do not have the cost.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now