.NETGURU
  Search:  
NamespacesDiscussions.NET v1.1Dot Net Guru's BlogIT Certification
Architecture for Credit Card Storage...
Messages   Related Types
This message was discovered on ASPFriends.com 'aspngarchitecture' list.


Barry Sirote
Here's a break from all the OOP architecture that's been going around....

I'm looking for the experience of others in terms of persistent storage of
Credit Card info. Obviously, all online transactions are taking place
between the site and the Credit Card Processor through SSL. The question is
once saved to the database how have you secured it.

My thoughts: Symmetric encryption (AES, DES, RC4, etc...) does not work
because the key would have to be stored on a server in order to encrypt the
data. If the server was compromised then the key could easily be grabbed
and used to decrypt the data.

I have read that Places like Amazon actually store CC info on an offline
device connected through a serial cable. I have even heard places take it
further by using a cross-over cable to connect an offline device. The
cross-over allows writes but blocks reads.

A Public Key System (PKI) can do the trick. Encrypt at server w/public key.
Decrypt offline w/private key.
BUT, how do you do recurring billing then?
Reply to this message...
 
    
Ben Hyrman
Obviously, a one-way digest encryption, such as MD5, won't work for you as
you want to reuse the credit card later. Plus, for various business reasons,
you'll probably want to be able to get the credit card (resettling,
crediting, fraud recovery, etc). However, other encryption schemes, such as
3DES, suck if you need to search on credit cards as every encryption will
yield a separate result. This means that, in order to search, you will need
to unencrypt every credit card and compare it to see if it matches.

A typical method I've seen is to store credit cards twice...in digest format
(md5) and in 3DES. We simply ensure that the key is not easily grabbed. One
option could be to store the key in a stored proc, or in Active Directory,
or anywhere but a spot easily accessible on your website. This allows for a
fairly secure method of getting all of the traits you mentioned needing.

I can't speak to Amazon, but I know my company does nothing like the method
you described. Then again, maybe that's why we're not the #1 on-line retail
site ;-)

Ben

----- Original Message -----
From: "Barry Sirote" <Click here to reveal e-mail address>
To: "aspngarchitecture" <Click here to reveal e-mail address>
Sent: Monday, July 22, 2002 5:09 PM
Subject: [aspngarchitecture] Architecture for Credit Card Storage...

[Original message clipped]
Reply to this message...
 
    
Chris Auld
We take the following approach

On receipt of the CC# split the credit card number using an ABABAB
pattern
E.g.
1234567890
Becomes two parts
13579
24680

We then encrypt both of these parts symmetrically

One half is stuffed into the database, the other is emailed to a remote
site.

In order to get access to the full CC#, a user logs in over SSL to the
original server, enters the missing half and we produce the full CC#. It
could work the otherway around if the billing system is off line.

This system is good in that it spreads the risk both geographically and
temporarily.

If the server is compromised, either by a remote hacker, or by a thug
cutting a hole in the server roiom wall with a chainsaw, then they do
not have any usefull information. Likewise, if the emails are
intercepted, the hacker will only get useful information for that period
of time that he can maintain interception, AND, that information will
only be useful if he is able to first compromise the Database server in
the data center.

Cheers
Chris

[Original message clipped]
Reply to this message...
 
 
System.Security.Cryptography.MD5




ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification
Ad


Need Dot Net Interview Questions?
Ask ExamGuru, Inc. for advice and help on Passing .Net Interviews
.Net Projects
Best-of-breed application framework for .NET projects, developed by ExamGuru, Inc. and ExamGuru IT
Free .net Help
Commission ExamGuru, Inc. and his team for your next bespoke software project
FogBUGZ
The only bug tracking system carefully crafted with one goal in mind: helping teams create great software.
Awesome Tools
If you don't know about these, you're missing out... IT Certification Questions
IT Interview Questions
Free Oracle 10g Training
MCSE Boortcamp
Cisco Study Guides
Cheap Study Guides
Exact Questions
Dot Net Interview Questions
Oracle OCP
Cheap Travel
Designer Perfumes - Wholesale Prices
Free Programming Tutorials
 
ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification
 Copyright © ExamGuru, Inc. 2001-2006
Contact Us - Terms of Use - Privacy Policy - www.dot-net-guru.com - www.examguru.net - www.oraclesource.net - www.itinterviews.net - www.examguru.net/ITCertification