Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 May 2002 09:04:21 +1000
From:      Enno Davids <nconedd@webjump.national.com.au>
To:        Sean Farley <sean-freebsd@farley.org>
Cc:        freebsd-isp@FreeBSD.ORG
Subject:   Re: Web site security questions
Message-ID:  <20020529090421.Q23636@webjump.national.com.au>
In-Reply-To: <20020528171331.I87801-100000@thor.farley.org>; from sean-freebsd@farley.org on Tue, May 28, 2002 at 05:22:49PM -0500
References:  <20020528171331.I87801-100000@thor.farley.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, May 28, 2002 at 05:22:49PM -0500, Sean Farley wrote:
|
|5) Change code to encrypt the credit card numbers with a public key.
|
|6) Change code to decrypt the credit card numbers via an encrypted key
|   stored within the database.
|
|7) Change code to prompt for a password whenever a credit card number is
|   pulled from the database.  This will take a bit of work to make this
|   convenient.
|

There are some obvious key management issues here and clearly you're at
least making the attempt to grapple with them, but there is an alternative
which is to simply NOT STORE the credit card numbers to begin with. If
they're not stored, they can't be compromised. At least not in the routine
manner they might be if they're in a database. This may of course require
changes to the business model you're offerring (most people want to do
recurring billing and want to do it by grabbing and holding onto their
customers credit card numbers).

You'll be aware that essentially ALL the anecdotal evidence about theft of
credit card numbers devolves to people breaking into systems and accessing
stored lists/databases. There is essentially no evidence of them being
snooped off wires or stolen by trojans or the various other alternatives so
far (which may only mean that no one's been caught of course... but its
worth considering).


Anyway, just a thought,

Enno.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020529090421.Q23636>