Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Mcrypt not decrypting entire credit card number occasionally - decrypts first 8 numbers

Posted on 2008-06-21
Medium Priority
Last Modified: 2013-12-12
We are using Mcrypt to encrypt our credit card numbers first to binary and then to hex.  The hex numbers are stored in a mySQL database.  This is fairly new and all has gone well except for one credit card number that would not decrypt.  The first eight numbers decrypted fine but the last eight look like jibberish.  Why would this not work on all numbers?  I did change the keycode and then it worked fine but the old key code worked on the rest of the numbers so I am not sure how this works.  I have attached my code.  This is done in Filemaker using a php plugin so some of the code references are for Filemaker.   Suggestions?
Question by:tammyf
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 10

Expert Comment

ID: 21840506
It is really not a good idea to store credit card data on your server even if encrypted.
If the server got broken into and the the encryption algorithm code used to encrypt the data is there also, then it can be easily determined how to decrypt the data.
I am guessing you are also storing the key used to decrypt on the server as well. Really Bad Idea.
It would be trivial to any knowledgeable malicious user to decrypt all the data if that were the case.
If you are very confident and technically knowledgeable with PCI DSS security practices, then you would know it is a very bad idea to do this.

Use this guide to help understand what good data handling standards consist of.

If you are looking to safely store credit card and customer info (which you should), then I will strongly suggest storing it on a 3rd party server at Authorize.net using their new Customer Information Manager (CIM). This is exactly what they designed it for.
It will keep you from putting your customers' data at risk.

I also wrote a php class for the CIM if you are interested.


Just some helpful advice.

Author Comment

ID: 21840533
Thanks I appreciate the suggestions however we have to store the encrypted card number since we do not charge the card immediately.   We use authorize.net to charge the card.  There are two parts.  The encrypted number goes into a mySQL database which gets deleted after it is transferred to an internal database.  The card number gets decrypted internally so it can go through authorize.net and then destroyed.  We have a company that scans our servers and gives it blessings (for PCI compliance) for security.  I am no expert (obviously) but the only failing issue we have right now is that they want our server to have PHP 5.2.6 instead of 5.2.4.

The other thing is this is a small company.  Having to have our web code rewritten to use a third party to store this information would be a burden.  I will however look into additional services with authorize.net.  Thanks for the suggestion.  I am almost thinking we should go back to checks only since it is getting to be such a burden to accept credit cards!

I still need to know why mcrypt is failing partially.
LVL 10

Expert Comment

ID: 21840544
No problem. I will let someone else handle that question.
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

LVL 23

Accepted Solution

Tim Holman earned 500 total points
ID: 22170288
If the encryption process was broken, you wouldn't get any relevant information back at all.  It would ALL be jibberish and not just the last 8 characters.  I would hazard a guess that your BIN <> HEX conversion process was causing this.
Also bear in mind that not all PANs are 16 chars - I thikn Amex has 14 digits, Diners 12, which may screw up the process somewhere along the line.
I'd question why you're moving from BIN to HEX as this potentially takes up more space and adds another processing step that could marr performance?
Last, but not least, you say you have to store the numbers as you charge immediately?  I was wondering why this is?  Most payment SPs faciliate repeat billing by giving you a payment type code of some sort you can use in your application, but generally I'd say take the money as soon as you can - if you delay billing then this opens a window for fraudulent use?

Author Comment

ID: 22180453

Thanks for your comment.  

Two things.  We have to move from bin to hex because we had a problem bringing in bin to Filemaker from MySql database and trying to decrypt.  Filemaker won't recognize blob fields and there were some character issues that were resolved after going to hex.  Second, we cannot charge the card immediately since we don't know the final cost.  Therefore we have to store this encrypted data.  I realize it is not a good idea to store anything but at this point we have no other choice.  I am looking to storing it with authorize.net but I have to have a way to charge the card once we have the cost.
LVL 23

Expert Comment

by:Tim Holman
ID: 22186054
I'm just wondering what kind of environment is this - I've done work with everything from in-flight charging systems to online gaming and I've not come across a situation where there's really a business need to authorise the card for a certain amount and do variable billing later, unless we're talking a subscription system?  There are payment type codes to handle all eventualities so that you can avoid credit card data storage.
I've been working pretty much full time on PCI DSS and securing credit data for the past few years now - I'm sure there's a viable alternative?

Author Comment

ID: 22186079
I think I need to clarify something.  We are not charging the card at all  when we take the order.  We are taking the credit card number, encrypting it and storing it until we know the actual charge.  We then decrypt and send it to authorize.net to charge the card.  There is no authorization up front.  My problem has been on only a couple of transactions where I could not decrypt the card and wondered if my script had a problem.
LVL 23

Expert Comment

by:Tim Holman
ID: 22189523
This is generally bad practice and you will be caught by PCI DSS.  Now PCI DSS is not just quarterly scans - you need to complete a Self Assessment Questionnairre (truthfully) to your acquiring bank, part of which is security around encrypting credit cards and protecting your infrastructure with an IDS/IPS, web application firewall, regular penetration tests, central event logging, file integrity monitoring....  I could go on, but point is you're digging an expensive hole by even contemplating the storage of cardholder data on your systems!  ;)
From a business perspective, I would recommend NOT storing the card number (you don't need to), rather than paying $25k+ investing in suitable protection.
I'm surprised a PHP/Filemaker guru hasn't picked this up yet....  PHP code all looks OK, but Filemaker elements I'm not really sure about, but thoroughly recommend you avoid storing card numbers in this way.

Author Comment

ID: 22189593
I am aware of all of this and we are getting in compliance and have already passed the server tests and are completing the questionnaire.  What I want is a solution to the decryption process not a lecture.  There is a problem with the code as I cannot always decrypt the numbers.  If we don't store them, they have to be stored somewhere period.  We cannot charge the card immediately as we do not have the cost.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
In this article, I’ll talk about multi-threaded slave statistics printed in MySQL error log file.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question