[PHP] Re: keeping credit card info in session


itocopus:

I stand corrected!

This document is the PCI self-assessment questionnaire for smaller merchants:

https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf

It lays out the requirements in detail (including encryption/ truncation) in one place and should answer all of the OP's questions. I'll be updating my systems to comply.

Thanks!

-Jim

On Apr 10, 2007, at 9:18 AM, itoctopus wrote:

Encryption is a mandatory part of PCI compliance...

--
itoctopus - http://www.itoctopus.com
"Jim King" <mlists@xxxxxxxxxxxxxxx> wrote in message
news:8AE50B49-6CD1-474A-857A-21F8BFC0D91C@xxxxxxxxxxxxxxxxxx


Does encrypting credit card information really do any good? You have
to store the keys somewhere to decrypt the data to use it. As we
have seen with blu-ray and HD DVD movies, the keys are the weak point
that are easily compromised. Besides, even encrypted data can be
decrypted by brute force. The strength of the encryption only
dictates how long it will take. Once you have the decryption key,
the strength of the encryption means nothing. Does anyone believe
that all these botnets are just for sending spam? You could use them
to create a huge supercomputer for code busting.

I think it is better to protect you network and passwords. Use the
Visa/MC/Amex standards that the companies themselves publish. None
of them require encryption, by the way.



On Apr 8, 2007, at 4:56 PM, itoctopus wrote:

Usually paying should be the last step, so you might probably want
to review
your workflow.
Anyways, if you're storing the credit card in the database, then
why are you
also storing it in the session, you can just query the database for
the
credit card based on the session id (so you should also store the
session id
in that table).
Since you're storing the credit card in the database, then you should
encrypt the credit card (there are plenty of encryption/decrypting
algorithms on the internet for PHP).
Other than that, I think everything is fine, and your system should
work
smoothly.
--
itoctopus - http://www.itoctopus.com
<siavash1979@xxxxxxxxx> wrote in message
news:1176056778.461933ca199b3@xxxxxxxxxxxxxxxxxxxx

Hi All,

I've got quite a bit or php experience, but I've never had to deal
with
credit
card info before. Now for a property rental site, I'm adding a way
for
users to
be able to fill out a form which also has some credit card info in
it.

After they submit the form, there are a couple of more steps and
to pass
credit
card info to the last page, I'm storing all the info in my
session. Now, I
did
go and bought an SSL certificate, so the booking section of the
site is on
SSL
(https). I'm just wondering if this is secure enough. as far as I
know,
SSL
means connection to server is secured, so session variables should be
secured
too. no?

Also after I get credit card info, I'm storing them in a mysql
table until
an
admin would log in to the site, see new reservations, charge them
manually
and
contact the customer, and then that entry will be removed from my
database
for
ever. Is this ok? or is it a really bad idea? originally the plan
was to
send
an email to the admin with credit card info, but then I realized that
emails
are very unsecure. so I decided to keep the info on the SSL
section of the
site.

just because I'm dealing with credit cards, I'm so afraid of doing
anything
now. Any suggestions? or perhaps any links to how to make it all more
secure?

Thanks a lot in advance,
Siavash

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
.

Relevant Pages

  • Encryptio key hardware solution... help :(
    ... that provides a Secure and Safe environment where these Credit Card ... Now it was proposed we do the 'hardware ... methods to protect and unprotect passed data. ... using a 2-step process the first step will need to read the encryption key ...
    (microsoft.public.sqlserver.security)
  • Re: [PHP] Re: keeping credit card info in session
    ... Encryption is a mandatory part of PCI compliance... ... to store the keys somewhere to decrypt the data to use it. ... On Apr 8, 2007, at 4:56 PM, itoctopus wrote: ... Anyways, if you're storing the credit card in the database, then ...
    (php.general)
  • Is In-Browser Encryption Safe?
    ... One of our clients has asked us to add an ordering facility to a web ... protect the credit card number. ... having orders reach the client as email makes sense. ... I have noticed implementations of public-key encryption ...
    (Security-Basics)
  • [PHP] Re: keeping credit card info in session
    ... You have to store the keys somewhere to decrypt the data to use it. ... As we have seen with blu-ray and HD DVD movies, the keys are the weak point that are easily compromised. ... Once you have the decryption key, the strength of the encryption means nothing. ... Anyways, if you're storing the credit card in the database, then why are you ...
    (php.general)
  • Re: four or five shopping cart design questions
    ... > I'm thinking about building a shopping cart from scratch, ... > 2) How does repeat customer session handling usually work? ... > they have to supply name address and credit card number. ...
    (comp.lang.php)