[drupal-devel] In database enryption.

[Gordon Heydon]

Hello,

I have developed a payment gateway for the ecommerce module for use with
the St George Bank here in Australia. This uses there batch processing
system which means there is user intervention to download and process
payments, and then upload back the responses.

I have gotten the communication between the webserver and external
parties working through the encrypted links, so everything is safe
there, but the credit cards are stored in an unencrypted form in the
database.

What I was thinking of doing is using the mcrypt module for php to
encrypt the credit card for storage in the database. The problem that I
have come up against is working out which would be the best method of
creating the key for the encryption.

I have though about using a random number that I then store in the
database with a variable_set() which would be better than just using a
static key. But if the key is lost then so is all the credit cards that
have not been processed.

This is not going to be the really secure as someone can just read the
program and create small function that will decrypt it anyway, but at
least it will stop them for 5 minutes.

Any help would be most appreciated.
Gordon.