we want to allow users of our site to save a credit card on file so they can do quick purchasing, but I don't want to store their numbers in a database because of security. I was thinking store all their account info in our db, but store the credit card in a cookie? or possibly store half the card number in a cookie, and the other half in the DB?

what do you think?

Hi,
You can save the sensitive info in your db, if you encrypt it before.
.Net provide good support for encryption and I think it it secure.
You can chose a random encryption key, store it some where in a secure way and limit the access to that key only to the programs you know that will need to use it.
This is the way I do it, and it does work well.

Originally posted by svatasoiu
Hi,
You can save the sensitive info in your db, if you encrypt it before.
.Net provide good support for encryption and I think it it secure.
You can chose a random encryption key, store it some where in a secure way and limit the access to that key only to the programs you know that will need to use it.
This is the way I do it, and it does work well.

well I am actually not going to be using .NET, just regular ASP for this site

can't you get an SSL certificate for your website. I think that does all the encription for you between server and user??

I do have a 128 bit SSL cert installed. I am just worried about storing customers CC numbers. I mean I can only assume that the SQL Server we have space on is secure, but we use a webhost, the server isn't here in my office, so it is hard to say who could have access to the information. That is why I don't feel safe storing customers whole CC numbers in the DB.

I figure if the first half of the CC is in a cookie, and the second half is in the DB, then I could put them both together when the cusomter wanted to buy something

I guess I could encrypt the CC number to store it in the DB, but any good hacker would probably be able to decrypt it anyway.. I will have to look into valid encryption methods over ASP