Classic ASP Encryption for Credit Card Data

Posted on 2014-01-23
Last Modified: 2014-02-09
What is currently the best encryption method available in classic asp to store credit card data?  Please provide function or link to component if possible
Question by:nrking83
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 250 total points
ID: 39805788
>What is currently the best encryption method available in classic asp to store credit card data?

ASP Classic, ASP.NET, PHP, Python, Ruby... the answer is the same.  You don't store credit card data on your server.  The only thing you store is name, address etc.   Card number, expiration date, 3/4 digit code is stored with your payment gateway.  

Typically what they do is after the transaction, respond back with a transaction id and you can store that.  Depending on who your gateway is, you can use that transaction id to send to the payment gateway for future payments IF THE CUSTOMER HAS AGREED TO SAVE PAYMENT INFORMATION.  

There are different levels of pci compliance.   Only financial institutions and payment gateways would have the level to store credit cards 

As for encryption, you are either using a one way hash (that you typically would send as a "key" to your gateway) or a 2 way.   A 2 way hash means it can be decrypted with a key, a one way means it can't be decrypted (easily). and there is a good over view on this js project  However, doing any of this client side is not secure.   You can use this in classic asp server side but jscript runs very slow.  

You can find the files you need at  and there is information on AES Encryption and Decryption  fyi, there is both AES and RC4 use the AES

When you have the files loaded, it is pretty straight forward  to encrypt
 Set myVar = CryptUtilEx.Aes_Encrypt("plaintext", "password")

Open in new window

and decrypt
 Set myVar = CryptUtilEx.Aes_Decrypt("cyphertext", "password")

Open in new window

You don't have to have that entire project loaded, just the CryptAesUtilEx.asp.  It is in the folder ClassicASP>Util>CryptUtilEX>CryptAesUtilEx.asp.  Just include the one file as a serverside include.

That entire project is open source and you can find many of the items around the net, but it has pretty much everything you ever looked for...

Let me know if you have questions on this.  
Please encrypt basic personal information with a 2 way encryption and passwords with a one way.  Never store credit card data unless you are specifically contracted and authorized by your credit card processor.
LVL 38

Expert Comment

by:Rich Rumble
ID: 39806452
If you are unaware that PCI is a World Wide Credit Card standard, and that storing CC data requires you to have an Audit from a certified QSA, then you should not store CC data yourself.

Storing CC data is ok to do, and you should in many cases, but you have to be prepared to be PCI compliant. Being PCI compliant is very hard to do, and it may be best to use a backend or shopping cart service that is already PCI compliant.
Storing CC data in a one-way hash makes no sense other than to confirm the data when it's re-entered. When Amazon or another stores your CC, it's totally "reversable" encryption. You just have to manage the keys for the encryption in a secure fashion and that is the heart of PCI compliance.
You should encrypt the CC data to a database in most cases, and encrypt that database or the data before it's placed in a plain-text database. We recommend using a HSM as opposed to Coding the encryption yourself.

BEFORE you begin storing CC data, you should be PCI compliant, and that means hiring a QSA to accredit you and your shopping cart or code. There are only a few hundred accredited QSA's in each country. You have to hire one, your company's reputation and finances are at risk, the customers data is at risk. Don't store CC data if you are not prepared for a lawsuit attacking your storage practices and non-compliance with PCI.

Author Comment

ID: 39806661
For Clarity, my company is building a Shopping Cart, and intend to become PCI Compliant.  I understand the QSA procedure, and PCI Requirement.  RichRumble, can you provide a few resources on how to use HSM with Classic ASP?

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

LVL 38

Expert Comment

by:Rich Rumble
ID: 39807413
Most HSM cost lots, but there are also afforable ones like YubiCo's HSM
The HSM will appear as a COM port in a windows machine. I'm no programmer so it may be best to contact YubiCo about .Net/ASP access to the HSM, there are a few projects out there:

The more supported and costly HSM you can get from TrustWave, RSA, Safe-Net all have good support for ASP/.NET, but again cost a lot. The cheaper options with HSM are the internal PCI or USB devices. Not the Appliance sized 1U-2U boxes :)

A YubiHSM is $500, but it's questionable how supported windows is. Again I'd write to their staff to find out more.

Accepted Solution

teodor birca earned 250 total points
ID: 39813764
i used with success this : if you use MSSQL :
"Encrypt data with a passphrase using the TRIPLE DES algorithm with a 128 key bit length."
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 39813792
Regardless if you store credit card data or not, you still have to be pci compliant if the data passes through your server.   You should check with your payment processor to make sure your agreement allows for cc# storage.     My own preference is to only store card data via the gateway.  If I have permission from the customer to save the card for later billing, I store a transaction and/or customer id provided by the gateway at time of transaction.   Then the api allows for submitting the the customer/payment id or a past transaction id.   The burden is off your shoulders.  

Best of luck!

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question