Solved

Classic ASP Encryption for Credit Card Data

Posted on 2014-01-23
6
998 Views
Last Modified: 2014-02-09
What is currently the best encryption method available in classic asp to store credit card data?  Please provide function or link to component if possible
0
Comment
Question by:nrking83
6 Comments
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 250 total points
ID: 39805788
>What is currently the best encryption method available in classic asp to store credit card data?

ASP Classic, ASP.NET, PHP, Python, Ruby... the answer is the same.  You don't store credit card data on your server.  The only thing you store is name, address etc.   Card number, expiration date, 3/4 digit code is stored with your payment gateway.  

Typically what they do is after the transaction, respond back with a transaction id and you can store that.  Depending on who your gateway is, you can use that transaction id to send to the payment gateway for future payments IF THE CUSTOMER HAS AGREED TO SAVE PAYMENT INFORMATION.  

There are different levels of pci compliance.   Only financial institutions and payment gateways would have the level to store credit cards http://www.pcicomplianceguide.org/pcifaqs.php

As for encryption, you are either using a one way hash (that you typically would send as a "key" to your gateway) or a 2 way.   A 2 way hash means it can be decrypted with a key, a one way means it can't be decrypted (easily).

http://en.wikipedia.org/wiki/Cryptography and there is a good over view on this js project https://code.google.com/p/crypto-js/.  However, doing any of this client side is not secure.   You can use this in classic asp server side but jscript runs very slow.  

You can find the files you need at http://www.classicasp.org/  and there is information on AES Encryption and Decryption http://www.classicasp.org/lib/asp/org/classicasp/doc/index.htm  fyi, there is both AES and RC4 use the AES http://www.differencebetween.net/technology/internet/difference-between-aes-and-rc4/

When you have the files loaded, it is pretty straight forward  to encrypt
http://www.classicasp.org/lib/asp/org/classicasp/doc/CryptUtilEx.asp.htm#Aes_Encrypt
 Set myVar = CryptUtilEx.Aes_Encrypt("plaintext", "password")

Open in new window

and decrypt
 Set myVar = CryptUtilEx.Aes_Decrypt("cyphertext", "password")

Open in new window

You don't have to have that entire project loaded, just the CryptAesUtilEx.asp.  It is in the folder ClassicASP>Util>CryptUtilEX>CryptAesUtilEx.asp.  Just include the one file as a serverside include.

That entire project is open source and you can find many of the items around the net, but it has pretty much everything you ever looked for...

Let me know if you have questions on this.  
Please encrypt basic personal information with a 2 way encryption and passwords with a one way.  Never store credit card data unless you are specifically contracted and authorized by your credit card processor.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39806452
If you are unaware that PCI is a World Wide Credit Card standard, and that storing CC data requires you to have an Audit from a certified QSA, then you should not store CC data yourself.

Storing CC data is ok to do, and you should in many cases, but you have to be prepared to be PCI compliant. Being PCI compliant is very hard to do, and it may be best to use a backend or shopping cart service that is already PCI compliant.
Storing CC data in a one-way hash makes no sense other than to confirm the data when it's re-entered. When Amazon or another stores your CC, it's totally "reversable" encryption. You just have to manage the keys for the encryption in a secure fashion and that is the heart of PCI compliance.
You should encrypt the CC data to a database in most cases, and encrypt that database or the data before it's placed in a plain-text database. We recommend using a HSM as opposed to Coding the encryption yourself.
https://www.pcisecuritystandards.org/documents/PCI%20HSM%20Security%20Requirements%20v1.0%20final.pdf

BEFORE you begin storing CC data, you should be PCI compliant, and that means hiring a QSA to accredit you and your shopping cart or code. There are only a few hundred accredited QSA's in each country. You have to hire one, your company's reputation and finances are at risk, the customers data is at risk. Don't store CC data if you are not prepared for a lawsuit attacking your storage practices and non-compliance with PCI.
-rich
0
 

Author Comment

by:nrking83
ID: 39806661
For Clarity, my company is building a Shopping Cart, and intend to become PCI Compliant.  I understand the QSA procedure, and PCI Requirement.  RichRumble, can you provide a few resources on how to use HSM with Classic ASP?

Nick
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39807413
Most HSM cost lots, but there are also afforable ones like YubiCo's HSM
http://www.yubico.com/products/yubihsm/ http://www.yubico.com/wp-content/uploads/2012/10/YubiHSM-Manual-v1.0.4.pdf
The HSM will appear as a COM port in a windows machine. I'm no programmer so it may be best to contact YubiCo about .Net/ASP access to the HSM, there are a few projects out there: https://code.google.com/p/yubikey-net/ https://code.google.com/p/nodatabase-yubikey-server/

The more supported and costly HSM you can get from TrustWave, RSA, Safe-Net all have good support for ASP/.NET, but again cost a lot. The cheaper options with HSM are the internal PCI or USB devices. Not the Appliance sized 1U-2U boxes :)

A YubiHSM is $500, but it's questionable how supported windows is. Again I'd write to their staff to find out more.
http://social.technet.microsoft.com/wiki/contents/articles/10576.hardware-security-module-hsm.aspx
-rich
0
 
LVL 3

Accepted Solution

by:
teodor birca earned 250 total points
ID: 39813764
i used with success this : if you use MSSQL :
"Encrypt data with a passphrase using the TRIPLE DES algorithm with a 128 key bit length."

http://technet.microsoft.com/en-us/library/ms190357.aspx
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 39813792
Regardless if you store credit card data or not, you still have to be pci compliant if the data passes through your server.   You should check with your payment processor to make sure your agreement allows for cc# storage.     My own preference is to only store card data via the gateway.  If I have permission from the customer to save the card for later billing, I store a transaction and/or customer id provided by the gateway at time of transaction.   Then the api allows for submitting the the customer/payment id or a past transaction id.   The burden is off your shoulders.  

Best of luck!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now