[ic] Real-Time Credit Card Transactions And Storing Credit Card Data

Paul Jordan interchange-users@icdevgroup.org
Mon Oct 7 17:18:01 2002 

> At 09:29 AM 10/7/2002 -0700, you wrote:
> >Hey everyone,
> >
> >I'm currently authorizing credit cards in real time and storing the
> >transaction ID in the "order_id" column in the transactions table. Then,
> >when the order has been processed we then capture funds from the open
> >authorization.
> >
> >However, I need to be able to store the credit card information in our
> >database for reference purposes. I plan on using real-time credit card
> >transactions but also want to store credit cards too. Of course I need
> >the data to be encrypted. Using PGP will be good enough. Can someone
> >give information on how to do this?
>
> If you want to store the credit cards encrypted, that is easy ([value
> mv_credit_card_info], I think), but if you want to *retrieve* the
> encrypted
> credit card and decrypt it on the server -- that is easy too, but not
> recommended, because it means that your server has to have access to the
> private key somehow.
>
> If someone steals all your credit card numbers (encrypted), that would be
> bad, but they would still have a pretty hard time cracking them.
> However,
> if they stole your private key along with the encrypted card
> numbers, that
> would be doubly bad, because they would only have one key to crack
> (assuming you used a passphrase).
>
> Besides a private key passphrase there are a lot of additional security
> measures you can take, but there will always be an element of
> risk.  However, some feel (Amazon.com, for example) that the risk
> is worth
> the benefit.  Basically, the answer is "Yes, it is easy.  But the
> hard part
> is the security/risk-taking."
>
> -- Dan


Dan, I am a newbie, and don't know much on the sub, but it seems like he
wants to decrypt it just for private backend type people. Couldn't he create
a page on their local computers that accessed the page on the remote server
(that displayed encryted numbers). The local page could have the PGP key and
some sort of function to decrypt it for local computer viewing. So, the only
thing on the remote server is the encrypted numbers. Not that I am saying it
is good practice.

I may be way off here, I just wanted I would inject that thought.

Paul