Classic ASP Encryption for Credit Card Data

What is currently the best encryption method available in classic asp to store credit card data?  Please provide function or link to component if possible
Who is Participating?
teodor bircaConnect With a Mentor Commented:
i used with success this : if you use MSSQL :
"Encrypt data with a passphrase using the TRIPLE DES algorithm with a 128 key bit length."
Scott Fell, EE MVEConnect With a Mentor Developer & EE ModeratorCommented:
>What is currently the best encryption method available in classic asp to store credit card data?

ASP Classic, ASP.NET, PHP, Python, Ruby... the answer is the same.  You don't store credit card data on your server.  The only thing you store is name, address etc.   Card number, expiration date, 3/4 digit code is stored with your payment gateway.  

Typically what they do is after the transaction, respond back with a transaction id and you can store that.  Depending on who your gateway is, you can use that transaction id to send to the payment gateway for future payments IF THE CUSTOMER HAS AGREED TO SAVE PAYMENT INFORMATION.  

There are different levels of pci compliance.   Only financial institutions and payment gateways would have the level to store credit cards 

As for encryption, you are either using a one way hash (that you typically would send as a "key" to your gateway) or a 2 way.   A 2 way hash means it can be decrypted with a key, a one way means it can't be decrypted (easily). and there is a good over view on this js project  However, doing any of this client side is not secure.   You can use this in classic asp server side but jscript runs very slow.  

You can find the files you need at  and there is information on AES Encryption and Decryption  fyi, there is both AES and RC4 use the AES

When you have the files loaded, it is pretty straight forward  to encrypt
 Set myVar = CryptUtilEx.Aes_Encrypt("plaintext", "password")

Open in new window

and decrypt
 Set myVar = CryptUtilEx.Aes_Decrypt("cyphertext", "password")

Open in new window

You don't have to have that entire project loaded, just the CryptAesUtilEx.asp.  It is in the folder ClassicASP>Util>CryptUtilEX>CryptAesUtilEx.asp.  Just include the one file as a serverside include.

That entire project is open source and you can find many of the items around the net, but it has pretty much everything you ever looked for...

Let me know if you have questions on this.  
Please encrypt basic personal information with a 2 way encryption and passwords with a one way.  Never store credit card data unless you are specifically contracted and authorized by your credit card processor.
Rich RumbleSecurity SamuraiCommented:
If you are unaware that PCI is a World Wide Credit Card standard, and that storing CC data requires you to have an Audit from a certified QSA, then you should not store CC data yourself.

Storing CC data is ok to do, and you should in many cases, but you have to be prepared to be PCI compliant. Being PCI compliant is very hard to do, and it may be best to use a backend or shopping cart service that is already PCI compliant.
Storing CC data in a one-way hash makes no sense other than to confirm the data when it's re-entered. When Amazon or another stores your CC, it's totally "reversable" encryption. You just have to manage the keys for the encryption in a secure fashion and that is the heart of PCI compliance.
You should encrypt the CC data to a database in most cases, and encrypt that database or the data before it's placed in a plain-text database. We recommend using a HSM as opposed to Coding the encryption yourself.

BEFORE you begin storing CC data, you should be PCI compliant, and that means hiring a QSA to accredit you and your shopping cart or code. There are only a few hundred accredited QSA's in each country. You have to hire one, your company's reputation and finances are at risk, the customers data is at risk. Don't store CC data if you are not prepared for a lawsuit attacking your storage practices and non-compliance with PCI.
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

nrking83Author Commented:
For Clarity, my company is building a Shopping Cart, and intend to become PCI Compliant.  I understand the QSA procedure, and PCI Requirement.  RichRumble, can you provide a few resources on how to use HSM with Classic ASP?

Rich RumbleSecurity SamuraiCommented:
Most HSM cost lots, but there are also afforable ones like YubiCo's HSM
The HSM will appear as a COM port in a windows machine. I'm no programmer so it may be best to contact YubiCo about .Net/ASP access to the HSM, there are a few projects out there:

The more supported and costly HSM you can get from TrustWave, RSA, Safe-Net all have good support for ASP/.NET, but again cost a lot. The cheaper options with HSM are the internal PCI or USB devices. Not the Appliance sized 1U-2U boxes :)

A YubiHSM is $500, but it's questionable how supported windows is. Again I'd write to their staff to find out more.
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Regardless if you store credit card data or not, you still have to be pci compliant if the data passes through your server.   You should check with your payment processor to make sure your agreement allows for cc# storage.     My own preference is to only store card data via the gateway.  If I have permission from the customer to save the card for later billing, I store a transaction and/or customer id provided by the gateway at time of transaction.   Then the api allows for submitting the the customer/payment id or a past transaction id.   The burden is off your shoulders.  

Best of luck!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.