Posted by Richard Lynch on 02/07/05 20:31

Dan Trainor wrote:
> Daniel Bowett wrote:
>> Is there any way I can use public/private key encryption in php in a
>> similar way to mcrypt.
>>
>> I have got php encrypting the data using gnugp but need to automate the
>> decrytping element which is proving difficult because of the way the
>> password is passed.
>>
>
> While Daniel has brang up the subject of encryption, and I know that the
> other day we were talking about storing CC numbers in a database - i
> don't think we touched on storing CCs encrypted with a gpg-stype
> encryption. Is this generally acceptable at all, or do you developers
> still not store CC numbers in any way, shape or form in a database?

I wouldn't store them at all.

If you encrypt them with a two-way algorithm, the private key is your weak
link.

SOMEBODY can always find a way to get to that private key.

You have to invest a TON of money and resources to make it SOOOO difficult
to get to the private key, that it's easier/cheaper for the Bad Guys to
get people's credit card numbers some other way.

If you are using one-way encryption, then you're only using it to verify
that somebody has access to that CC number, and you might as well use a
password the user can choose/change -- with suitable restrictions on the
quality of that password -- rather than risk transmitting the CC #
needlessly.

You need a REALLY good reason, and a REALLY REALLY REALLY good security
audit of your entire process, on a routine basis, with all software,
hardware, physical access, network access, under close-up scrutiny if you
store CC numbers in the database.

That's a reason why almost nobody does it, and a reason why we all just
let the banks/merchant-vendors worry about that stuff.

Sometimes it really is best to let a specialist handle things.

This is one of those times.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]