tibberous Posted August 21, 2008 Share Posted August 21, 2008 I am building a system that needs to store credit cards, and am trying to make sure they are safe. Here i what I did so far: 1) Turned off all the other websites. It was already a dedicated, but I didn't want it to get hit through another site we had. 2) Put the actual numbers in a separate database. All this database does is hold the real number, all the other info is in a regular database. For this new database, I made a new user account - it is the only one that can access it, and only them with select, update and inserts. 3) Made it so that only a few, command line scripts can touch the credit card numbers. These scripts are outside the restricted basedir, so if someone could do a "../../../../../creditCards\0crap.jpg" anywhere in my code, they can't now. Is their more I should do? I thought about encrypting the numbers, but it seems like if they have enough access to my system to get the encrypted passwords, they'd have enough access to just go get the file the decrypts them. I don't want to use ioncube - but it's been suggested, again though, at that point your more talking about how to stop people with full ftp access to the system. Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/ Share on other sites More sharing options...
BlueSkyIS Posted August 21, 2008 Share Posted August 21, 2008 I thought about encrypting the numbers, but it seems like if they have enough access to my system to get the encrypted passwords, they'd have enough access to just go get the file the decrypts them. not necessarily. for instance, someone could compromise MySQL without compromising apache, php, ftp access, etc. Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/#findComment-622511 Share on other sites More sharing options...
akitchin Posted August 21, 2008 Share Posted August 21, 2008 what if someone directly steals your hardware? they can just nab the numbers. unlikely, but if it happens, you've basically just ruined the financial life of anyone who's ever used the system. IMO, the short answer is, you should never have to remember CC numbers. leave that to the people who have the liability to do so, and the security (both digital and physical) to protect them. perhaps to get more to the root of the problem, why do you have to store them? are you yourself processing them to see if they're legitimate? if not, and you simply want to remember the user's details, the more common approach is to remember the last 4 digits. Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/#findComment-622513 Share on other sites More sharing options...
DeanWhitehouse Posted August 21, 2008 Share Posted August 21, 2008 I think you should be using SSL scripts aswell. And maybe also look into companys that have secure databases to store the numbers. Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/#findComment-622528 Share on other sites More sharing options...
tibberous Posted August 22, 2008 Author Share Posted August 22, 2008 We need to keep them on file so users can get billed without retyping them. If they have to reenter their card number every time, the'll buy less stuff. While we use the last four digits for display purposes, we can't run a 4 digit card number through linkpoint. And the way I set it up, I was thinking it would be pretty much impossible to get mysql access to the card database without ftp access, but it still might be worth encrypting them for the few extra minutes it would take. At least then if I need to make backups of the database, I can do so without having to then encrypt them. I don't think I can use an SSL cert, since we already have one for a different subdomain on the server. Unless their is a way to install two that I don't know about, because the price of an unlimited sub-domain cert is insane. I will look to see if there is a way to run two certificates on the same server - I was even thinking about getting a free cert from that one free cert company that only works with Firefox, and then using it if they were using Firefox, and otherwise just switching to the non-SSL version. Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/#findComment-622706 Share on other sites More sharing options...
corbin Posted August 22, 2008 Share Posted August 22, 2008 I think there are actually laws on retaining credit card information in some countries. Like the data has to be encrypted with a certain bit strength and so on. Maybe someone else can either elaborate on this or tell me if I'm crazy. Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/#findComment-622709 Share on other sites More sharing options...
akitchin Posted August 22, 2008 Share Posted August 22, 2008 (...) because the price of an unlimited sub-domain cert is insane (...) i don't think any price should qualify as being too much for the sake of confidentiality when it comes to finances. I think there are actually laws on retaining credit card information in some countries. Like the data has to be encrypted with a certain bit strength and so on. Maybe someone else can either elaborate on this or tell me if I'm crazy. i sure hope there are. Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/#findComment-622718 Share on other sites More sharing options...
cooldude832 Posted August 22, 2008 Share Posted August 22, 2008 Why do you personally need the numbers instead of a large payment processor like paypal? Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/#findComment-622719 Share on other sites More sharing options...
Prismatic Posted August 22, 2008 Share Posted August 22, 2008 A system I've done before uses a SHA256 bit hash of a alphanumeric and special character key we use to encrypt all sensitive data, this data is encrypted with mcrypt and the entire encryption file is encrypted with IonCube. Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/#findComment-622739 Share on other sites More sharing options...
MasterACE14 Posted August 22, 2008 Share Posted August 22, 2008 It may mean more sales, but what if someones account is hacked, and they sue you? you will lose money in the end. Why not just use Paypal which works perfectly fine, That way they don't have to put in there details every time, and you can use a Instant Payment Notification(IPN) script to log the order or whatever in your database. Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/#findComment-622745 Share on other sites More sharing options...
tibberous Posted August 24, 2008 Author Share Posted August 24, 2008 ...It may mean more sales... That's why. And because being able to only run payments through PayPal seems amateur, and because linkpoint will run a credit card transaction at 1.85%, which a LOT less than paypal. Down the road we might add paypal and google checkout, but linkpoint seems to be the cheapest way and simplest way to process payments. Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/#findComment-624141 Share on other sites More sharing options...
JasonLewis Posted August 24, 2008 Share Posted August 24, 2008 Nothing amateur about PayPal. It annoys me when large companies that sell stuff on the web don't offer PayPal as a form of payment. Not all of us have credit cards! Quote Link to comment https://forums.phpfreaks.com/topic/120775-protecting-credit-cards/#findComment-624143 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.