[drupal-devel] In database enryption.
Daniel Convissor
danielc at analysisandsolutions.com
Wed Jun 8 01:02:59 UTC 2005
On Wed, Jun 08, 2005 at 10:42:38AM +1000, Gordon Heydon wrote:
>
> What I was thinking of doing is using the mcrypt module for php to
> encrypt the credit card for storage in the database. The problem that I
> have come up against is working out which would be the best method of
> creating the key for the encryption.
Below is what I would do. Perhaps folks here have other ideas. I'm sure
there are plenty of articles about this on the net if you looked.
In general, if you're not performing a recurring transactions, do not
store the credit card numbers, just save the last four digits.
But, if you need to save the cc numbers to perform recurring transactions,
have the key be typed in manually by the person
(webmaster/administrator/office staff/etc -- NOT the customer) performing
the current transaction. There should be one key. The key should be
considered a "password." The key should be md5 hashed then stored
somewhere for later comparison. So, if the person types in the wrong key,
the program won't run (and won't mistakenly encrypt the cards with the
wrong key).
Of course, make sure that database is stored in a secure location and the
password is only entered via secure connections.
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the drupal-devel
mailing list