Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Classic ASP Encryption for Credit Card Data

Posted on 2014-01-23
Medium Priority
Last Modified: 2014-02-09
What is currently the best encryption method available in classic asp to store credit card data?  Please provide function or link to component if possible
Question by:nrking83
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 54

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 1000 total points
ID: 39805788
>What is currently the best encryption method available in classic asp to store credit card data?

ASP Classic, ASP.NET, PHP, Python, Ruby... the answer is the same.  You don't store credit card data on your server.  The only thing you store is name, address etc.   Card number, expiration date, 3/4 digit code is stored with your payment gateway.  

Typically what they do is after the transaction, respond back with a transaction id and you can store that.  Depending on who your gateway is, you can use that transaction id to send to the payment gateway for future payments IF THE CUSTOMER HAS AGREED TO SAVE PAYMENT INFORMATION.  

There are different levels of pci compliance.   Only financial institutions and payment gateways would have the level to store credit cards http://www.pcicomplianceguide.org/pcifaqs.php 

As for encryption, you are either using a one way hash (that you typically would send as a "key" to your gateway) or a 2 way.   A 2 way hash means it can be decrypted with a key, a one way means it can't be decrypted (easily).

http://en.wikipedia.org/wiki/Cryptography and there is a good over view on this js project https://code.google.com/p/crypto-js/.  However, doing any of this client side is not secure.   You can use this in classic asp server side but jscript runs very slow.  

You can find the files you need at http://www.classicasp.org/  and there is information on AES Encryption and Decryption http://www.classicasp.org/lib/asp/org/classicasp/doc/index.htm  fyi, there is both AES and RC4 use the AES http://www.differencebetween.net/technology/internet/difference-between-aes-and-rc4/

When you have the files loaded, it is pretty straight forward  to encrypt
 Set myVar = CryptUtilEx.Aes_Encrypt("plaintext", "password")

Open in new window

and decrypt
 Set myVar = CryptUtilEx.Aes_Decrypt("cyphertext", "password")

Open in new window

You don't have to have that entire project loaded, just the CryptAesUtilEx.asp.  It is in the folder ClassicASP>Util>CryptUtilEX>CryptAesUtilEx.asp.  Just include the one file as a serverside include.

That entire project is open source and you can find many of the items around the net, but it has pretty much everything you ever looked for...

Let me know if you have questions on this.  
Please encrypt basic personal information with a 2 way encryption and passwords with a one way.  Never store credit card data unless you are specifically contracted and authorized by your credit card processor.
LVL 38

Expert Comment

by:Rich Rumble
ID: 39806452
If you are unaware that PCI is a World Wide Credit Card standard, and that storing CC data requires you to have an Audit from a certified QSA, then you should not store CC data yourself.

Storing CC data is ok to do, and you should in many cases, but you have to be prepared to be PCI compliant. Being PCI compliant is very hard to do, and it may be best to use a backend or shopping cart service that is already PCI compliant.
Storing CC data in a one-way hash makes no sense other than to confirm the data when it's re-entered. When Amazon or another stores your CC, it's totally "reversable" encryption. You just have to manage the keys for the encryption in a secure fashion and that is the heart of PCI compliance.
You should encrypt the CC data to a database in most cases, and encrypt that database or the data before it's placed in a plain-text database. We recommend using a HSM as opposed to Coding the encryption yourself.

BEFORE you begin storing CC data, you should be PCI compliant, and that means hiring a QSA to accredit you and your shopping cart or code. There are only a few hundred accredited QSA's in each country. You have to hire one, your company's reputation and finances are at risk, the customers data is at risk. Don't store CC data if you are not prepared for a lawsuit attacking your storage practices and non-compliance with PCI.

Author Comment

ID: 39806661
For Clarity, my company is building a Shopping Cart, and intend to become PCI Compliant.  I understand the QSA procedure, and PCI Requirement.  RichRumble, can you provide a few resources on how to use HSM with Classic ASP?

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

LVL 38

Expert Comment

by:Rich Rumble
ID: 39807413
Most HSM cost lots, but there are also afforable ones like YubiCo's HSM
http://www.yubico.com/products/yubihsm/ http://www.yubico.com/wp-content/uploads/2012/10/YubiHSM-Manual-v1.0.4.pdf
The HSM will appear as a COM port in a windows machine. I'm no programmer so it may be best to contact YubiCo about .Net/ASP access to the HSM, there are a few projects out there: https://code.google.com/p/yubikey-net/ https://code.google.com/p/nodatabase-yubikey-server/

The more supported and costly HSM you can get from TrustWave, RSA, Safe-Net all have good support for ASP/.NET, but again cost a lot. The cheaper options with HSM are the internal PCI or USB devices. Not the Appliance sized 1U-2U boxes :)

A YubiHSM is $500, but it's questionable how supported windows is. Again I'd write to their staff to find out more.

Accepted Solution

teodor birca earned 1000 total points
ID: 39813764
i used with success this : if you use MSSQL :
"Encrypt data with a passphrase using the TRIPLE DES algorithm with a 128 key bit length."

LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39813792
Regardless if you store credit card data or not, you still have to be pci compliant if the data passes through your server.   You should check with your payment processor to make sure your agreement allows for cc# storage.     My own preference is to only store card data via the gateway.  If I have permission from the customer to save the card for later billing, I store a transaction and/or customer id provided by the gateway at time of transaction.   Then the api allows for submitting the the customer/payment id or a past transaction id.   The burden is off your shoulders.  

Best of luck!

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question