Results 1 to 31 of 31

Thread: store credit cards for customers

Hybrid View

  1. #1

    Thread Starter
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    store credit cards for customers

    I need to store credit card info for customers, but obviously I want it to be secure.

    I don't really want to store them in my SQL Server, as if it was ever compromised that would be a big problem. If I encrypted the values in the DB, I would need the code to decrypt them in the webpage, and the website and sql server sit on the same machine, so an attack could give a hacker both items they would need to get the card numbers...

    what I was thinking, was to store the credit card numbers in cookies on the customers local machine, but encrypt them using the password for their account (which is stored in my SQL Server)

    so when they log in, the key would be available to decrypt the cookie and have the valid card number....

    If that is not secure enough, I was thinking about doing that with half the card number, and the second half be stored in the database, and they would be put together at transaction time..

    what do you guys think?

  2. #2
    Big D Danial's Avatar
    Join Date
    Jul 2000
    Location
    ASP.Net Forum
    Posts
    2,877

    Re: store credit cards for customers

    Quote Originally Posted by kleinma
    I need to store credit card info for customers, but obviously I want it to be secure.

    I don't really want to store them in my SQL Server, as if it was ever compromised that would be a big problem. If I encrypted the values in the DB, I would need the code to decrypt them in the webpage, and the website and sql server sit on the same machine, so an attack could give a hacker both items they would need to get the card numbers...

    what I was thinking, was to store the credit card numbers in cookies on the customers local machine, but encrypt them using the password for their account (which is stored in my SQL Server)

    so when they log in, the key would be available to decrypt the cookie and have the valid card number....


    If that is not secure enough, I was thinking about doing that with half the card number, and the second half be stored in the database, and they would be put together at transaction time..

    what do you guys think?
    Its never a good idea to store CC card or Password in a Database. The usual practice is to store the Hash value of the CC card and store that hash value in the DB. Most site uses this technique and almost all site uses this to store password including vBulletin.

    I personally use MD5 Has function to store Password or CC card information, this way even if the Database is compromised they will never be able to get the sensetive information.
    [VBF RSS Feed]

    There is a great war coming. Are you sure you are on the right side? Atleast I have chosen a side.

    If I have been helpful, Please Rate my Post. Thanks.

    This post was powered by :

  3. #3
    Frenzied Member TomGibbons's Avatar
    Join Date
    Feb 2002
    Location
    San Diego, CA Previous Location: UK
    Posts
    1,345

    Re: store credit cards for customers

    I MD5 all passwords and the like. But you can't do a great deal with credit card information if all you have is a one way hash. Sort of defeats the purpose of storing it in the first place, no?

    I like the cookies idea, but what if the end user clears the cookies or they expire? *scratches chin*

  4. #4

    Thread Starter
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    Re: store credit cards for customers

    yeah i thought about that.... but can't you set cookies to not expire??? also if they delete them they have to enter it again... they would be informed its kept in a cookie....

    if i did a reversable md5 hash on the CC, then i could encrypt it into the DB, and decrypt it when its pulled, but this could be a problem since i would also have to store the password used for the encryption on my website in the asp.net application... so if they comprismised the DB, they could also get the asp.net files, and have both sets of info they need to get the numbers....

    i just want to cover my ass for when we start doing this.. i know its done on many sites.. so i know its very possible.. i also know some of these sites have gotten hacked in the past...

  5. #5
    Big D Danial's Avatar
    Join Date
    Jul 2000
    Location
    ASP.Net Forum
    Posts
    2,877

    Re: store credit cards for customers

    Quote Originally Posted by kleinma
    yeah i thought about that.... but can't you set cookies to not expire??? also if they delete them they have to enter it again... they would be informed its kept in a cookie....

    if i did a reversable md5 hash on the CC, then i could encrypt it into the DB, and decrypt it when its pulled, but this could be a problem since i would also have to store the password used for the encryption on my website in the asp.net application... so if they comprismised the DB, they could also get the asp.net files, and have both sets of info they need to get the numbers....

    i just want to cover my ass for when we start doing this.. i know its done on many sites.. so i know its very possible.. i also know some of these sites have gotten hacked in the past...
    Tom you are right if you use one way hash then you cant get the information back. To be honest there is no fool-proof way of storing CC card data safely if you have to read it back.

    kleinma, I would strongly advise you against storing CC car info in the user's pc even though it might be encrypted. There are many risks, e.g user might be using Shared computer. Also some browser including IE blocks cookies so if thats the case you wont be able to save the cookie.

    Do you have to store the Password? Are you passing it to a 3rd party gateway for verification? Why not store the other information apart from the actual number.

    Read these article, might help you secure the data if you choose to store it.

    http://www.seifried.org/security/cry...toring-cc.html
    http://www.webmasterworld.com/forum22/3015.htm

    I was just thinking why not use an encryption key which is derived from your Host e.g Host's HD Serial + Host IP + other Unique Config etc. I would write an COM object which will contain my Decryption routine this will generate the Unique Key from those elements I mentioned, this key will be Unique to this machine. This will reduce the risk of someone getting hold of decryption key, if the Host's security is compromised.

    I know if the server is compromised they can decrypt it onsite but at least it will be harder to decrypt them offline. May be you should monitor all decryption attem on the server.

    What technology are you using? If its ASP or ASP.Net then you can implement something similar using COM.

    Just an idea from my top of my head, havent given much thought.

    Hope this helps.

    Danial
    [VBF RSS Feed]

    There is a great war coming. Are you sure you are on the right side? Atleast I have chosen a side.

    If I have been helpful, Please Rate my Post. Thanks.

    This post was powered by :

  6. #6
    Frenzied Member <ABX's Avatar
    Join Date
    Jul 2002
    Location
    Canada eh...
    Posts
    1,622

    Re: store credit cards for customers

    If you are going to store the password in the database use a good encryption method and require 128bit SSL.

    I would encrypt the credit card number based on the plain text(or reversible cypher) password... store a hash of the users password in the database (for login) and then the credit card number could only be decripted if the client supplies the plain text password.

    I would also never allow the user to view there credit card information (or atleast require a login even if they are currently logged in)

    I would also encrypt the expiry date and security code (if it has it) as well as the type .... this would be a drag on performance.

    I would also be careful about generating keys based on the hosts hardware because hardware fails and gets updated... you might endup, at the vary least, regenerating all your data from the old database -- if you were able to recover the key.
    Tips:
    • Google is your friend! Search before posting!
    • Name your thread appropriately... "I Need Help" doesn't cut it!
    • Always post your code!!!! We can't read your mind!!! (well, at least most of us!)
    • Allways Include the Name and Line of the Exception (if one is occuring!)
    • If it is relevant state the version of Visual Studio/.Net Framwork you are using (2002/2003/2005)


    If you think I was helpful, rate my post
    IRC Contact: Rizon/xous ChakraNET/xous Freenode/xous

  7. #7
    Frenzied Member Magiaus's Avatar
    Join Date
    Mar 2002
    Location
    swamp land
    Posts
    1,267

    Re: store credit cards for customers

    When I worked at a Bank a few years back we actually used the CC info as a basis to setup an account for Online Banking. CC being Check Card in this case. We hosted our own servers and counted on our Servers being secure. I'm going to point out now that the people at the bank were not top notch programmers. They were good at the job they did but they weren't leading in the industry. The bank brought in an outside agent to secure the Servers. Firewalls and so on. We had no encryption, period. I imagine it is still that way. Complete faith in the SSL the Firewall and this one guy saying everything was secure....
    Magiaus

    If I helped give me some points.

  8. #8
    I wonder how many charact
    Join Date
    Feb 2001
    Location
    Savage, MN, USA
    Posts
    3,704

    Re: store credit cards for customers

    I have to implement a credit card processing on a furniture site soon... but thankfully, there is no need to rebill the customer. All transactions will be live - and they will be required to re-fill their cc info every transaction. But that's a furniture store where people don't normally buy more than one thing a year.

    So all I need to do really is just store perhaps the last 3 digits of their cc number - although I wonder if the last three digits are the most identifying part of the number or not... ?

  9. #9
    Frenzied Member Magiaus's Avatar
    Join Date
    Mar 2002
    Location
    swamp land
    Posts
    1,267

    Re: store credit cards for customers

    I don't know how much this helps but cards have a 3 digit verification number now. I know Check Cards have this at least I assume Credit Cards do as well.
    Magiaus

    If I helped give me some points.

  10. #10
    PowerPoster hellswraith's Avatar
    Join Date
    Jul 2002
    Location
    Washington St.
    Posts
    2,464

    Re: store credit cards for customers

    Storing credit card numbers is a horrible idea if you are not aware of what you are doing. Most companies can not dedicate the resources to handle the security aspects of things.

    People, the managers don't understand, it is our job to inform them. You can only make is as secure as much as you know security. If you are asking this question here, you don't know it enough to implement this solution. 1,000 hackers have more knowledge than you, so be humble in this area.

    Tell the managers that if you store credit cards, you immediately become a target to a whole new breed of hackers. This breed try to get credit card numbers to steal peoples identities. If even one is successful, your company is liable 100% if you did not do due diligence to keep the information comletely safe.

    Outside companies that handle this employ everything they know to keep the card numbers safe. This is their FULL TIME JOB. They wouldn't be so big if they were not successful in doing this.

    Give these links to your managers, this they will understand:
    First, some insurance to cover what you are going to do:
    http://www.hoyla.com/sec_c.html

    http://www.aignetadvantage.com/bp/se...laims.examples

    http://www.geeknewz.com/board/lofive...php/t1850.html

    http://www.wcpo.com/news/2003/local/08/08/hacker.html

    Have fun. I would NEVER put my name on some home grown solution involving credit cards unless EVERY aspect of security is covered. This includes full time monitoring. If you can't do this, contract it out.
    Be careful.

  11. #11
    Frenzied Member Magiaus's Avatar
    Join Date
    Mar 2002
    Location
    swamp land
    Posts
    1,267

    Re: store credit cards for customers

    Quote Originally Posted by nemaroller
    I have to implement a credit card processing on a furniture site soon... but thankfully, there is no need to rebill the customer. All transactions will be live - and they will be required to re-fill their cc info every transaction. But that's a furniture store where people don't normally buy more than one thing a year.

    So all I need to do really is just store perhaps the last 3 digits of their cc number - although I wonder if the last three digits are the most identifying part of the number or not... ?
    The starting digits are common for each company they use a set. This is how CC Gen programs work. I don't remember the sets right now, but look at your visa does it start with 4668?

    Hellswraith is right though, I've had people ask me many times to just throw around cc info and turned down the job for that reason.

    There is a lot to think about. If your SQL Server resides on a seprate server has it been moved of the default port? If it's on the same server have you closed the port? Are your logs on? Are you tracking the IP of the request?(You know which Coffee Shop, Collage, or libray was the hacker at? Did he reroute his ip 36 or 37 times?) Are you sending a verify request to an e-mail address? Use an SSL.

    Even better use an SSL, Frames and an ISAPI Companat. Ever seen a site with a URL of https://url.com/secure/cart.dll?orde...d&prod_id=guid

    it's a lot of work.

    Hellswraith the URL rewrite would cover a dll like this without the ISAPI.

    Can you set a SELECT Trigger in SQL Server?
    Magiaus

    If I helped give me some points.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width