[ic] Credit Card numbers Stored Encrypted in SQL Database - Finally Answered!

Russ Mann tech@khouse.org
Wed, 25 Apr 2001 14:41:21 -0600

Thank you!  Amazing what it takes to get an answer on this list :)

-----Original Message-----
From: interchange-users-admin@lists.akopia.com
[mailto:interchange-users-admin@lists.akopia.com]On Behalf Of Jon Jensen
Sent: Wednesday, April 25, 2001 2:25 PM
To: interchange-users@lists.akopia.com
Subject: RE: [ic] Credit Card numbers Stored Encrypted in SQL Database -
No Answer Yet

On Wed, 25 Apr 2001, Russ Mann wrote:

> So, correct me if I'm wrong, but because of the RH takeover, IC looses
> functionality?  There is ZERO risk involved with storing CC#'s on disk if
> they're ENCRYPTED, Which is precisely what I'm trying to do.  It worked
> fine in MV....

It still works fine. I just did it the other day.

First, make sure all your PGP encryption is set up and working right. You
should be getting PGP encrypted card info in the order email sent to you.

Now you need to add a field for the encrypted info to your transactions
database. I called mine 'cc_info'. Make sure the field is large; in MySQL,
I used type 'text'.

Then edit etc/log_entry and etc/log_transaction. In each one, after this

[import table=transactions type=LINE continue=NOTES]


cc_info: [value filter=mac name=mv_credit_card_info]

That should do it.

Keep in mind that this is only relatively secure if the secret key and
passphrase are not on a network-connected machine at all. It's perfectly
safe to encrypt the number and store it; adding one-click functionality
requires that you somehow decrypt it automatically, which is where you
open a large security hole. Leaving aside Amazon's patent claims on the
technique ...


Interchange-users mailing list