|
|
Posted by Gordon Burditt on 07/18/05 21:25
>I would be interested in your advice for protecting credit card
>numbers.
>
>My plan was to use mcrypt and store in mySql database. I thought I
>might use another field in the database as the key.
Well, consider what your biggest threats are here.
If you are trying to protect against the admin of your hosted
web and/or database site, you can pretty well forget it. Although
encrypting the credit card numbers does make it a bit harder
than just a SQL query for all of them.
If your idea here is that nobody will guess which field you are
using as the key, think again. Even if you have 200 fields in the
table, it won't take that long to figure out which one is the key.
Also, you have to worry about the field used as the key changing
(people get married and change their names, addresses and phone
numbers change, etc.) Some fields don't have enough variety to be
used as a key (Let's see, one field can have Mr., Mrs., Miss, Dr.,
Queen, Pope, etc. as values but really the first three are the only
ones that will be used much.) You could use it as *part* of a key.
If you are trying to protect against accidental disclosure of a
dump of your database (or making it downloadable from the site, or
having a virus send it somewhere), it would be best if the key (or
at least an essential part of it) and the encrypted credit number
are kept separated, so whoever gets one probably doesn't get the
other. This, I would think, would mean at least separate tables,
or one table and one config file used by your scripts.
>I will erase number as soon as the card is authorized.
Careful, here. How long do you actually need to keep that number
around? Consider the scenario (which is not at all uncommon for
my employer, an ISP): New user signs up for 1 year via web form.
Initial online check of the card says it's OK. The charge goes
through. Forget for the moment that an ISP normally keeps credit
card numbers around for automatic renewals, and pretend it's sort
of like a pre-paid pay-by-the-spam spamming card for an ISP, pay
once with no automatic renewals (unfortunately I think the main use
of this would be by spammers).
Two months later the credit card company reverses the charge because
the REAL cardholder spotted the charge on their statement and
objected that they don't want a dialup account for a Texas ISP
because they live in Iraq, they never ordered it, and their identity
has been stolen. (Two months is not particularly long for this
sort of thing: it can take 5-6 weeks from the charge to the
cardholder receiving the statement, and a couple of weeks before
they read and pay it, and maybe a couple of weeks for the credit
card company to investigate it.) You get this report. Now, *WHICH
ACCOUNT DO YOU SHUT OFF*? Have you still got info needed to determine
that? Can you figure out which other accounts used the same account
number that haven't been reported yet? And do you have enough info
to report the crime, so if the guy gets caught, you have enough
evidence to recover something?
Now, if you do keep the info around, perhaps these older archives
are more safely kept on a private system not usually connected to
the Internet (e.g. dialed up once a week to archive the old records),
perhaps burned on CD-ROM and normally kept in a safe in your home
(and still encrypted).
Gordon L. Burditt
Navigation:
[Reply to this message]
|