Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

is my credit card data "safe enough"?


borghe

Recommended Posts

uggh.. so I NEED to store credit card details in certain instances in the database. I could store them offline on, say, my workstation at home, but it would be a tremendous pain to go back and forth to "link" the details with the "online" users when it came time to charging them in these particular instances. besides that, I can actually setup an automated method to charge them (long story, not part of the default oscommerce setup. this is seperate charging done on a particular and exclusive basis).

 

So anywho, I wrote my own method of storing the encrypted credit card. essentially what I'm doing (and I'm not worried about mentioning this being that the lock and key are never stored in the same place) is tripledes encrypting the modified credit card string. I am then adding the basic customer viewable info (last 4 digits and date) and then base64 encoding that. so the customer will have easy access to the last 4 and date to know what card they have on file. now the trick to this is that the initialization vector is being emailed to me base64 encoded. so the only way to decrypt the string is to get ahold of the initialization vector which won't be located anywhere near the actual encrypted string (physically and theoretically).

 

so when I want to charge the customer, I can create a simple ssl encrypted page that will lookup the customer_id I pass, take the base64 encoded initialization vector I received in the email as input, add like a dollar amount field to charge against the customers card in realtime over auth.net, and all is good. the only chance a hacker would ever have in "breaking" the system as far as I see is either sniffing the original email as it is sent or breaking into my box and getting it off of there (which of course it is also encrypted on).

 

if anyone sees a problem with this I would LOVE for you to point it out. I am going to go live with this pending any unknown dangers and would certainly love the input.

Link to comment
Share on other sites

uggh.. so I NEED to store credit card details in certain instances in the database. I could store them offline on, say, my workstation at home, but it would be a tremendous pain to go back and forth to "link" the details with the "online" users when it came time to charging them in these particular instances. besides that, I can actually setup an automated method to charge them (long story, not part of the default oscommerce setup. this is seperate charging done on a particular and exclusive basis).

 

So anywho, I wrote my own method of storing the encrypted credit card. essentially what I'm doing (and I'm not worried about mentioning this being that the lock and key are never stored in the same place) is tripledes encrypting the modified credit card string. I am then adding the basic customer viewable info (last 4 digits and date) and then base64 encoding that. so the customer will have easy access to the last 4 and date to know what card they have on file. now the trick to this is that the initialization vector is being emailed to me base64 encoded. so the only way to decrypt the string is to get ahold of the initialization vector which won't be located anywhere near the actual encrypted string (physically and theoretically).

 

so when I want to charge the customer, I can create a simple ssl encrypted page that will lookup the customer_id I pass, take the base64 encoded initialization vector I received in the email as input, add like a dollar amount field to charge against the customers card in realtime over auth.net, and all is good. the only chance a hacker would ever have in "breaking" the system as far as I see is either sniffing the original email as it is sent or breaking into my box and getting it off of there (which of course it is also encrypted on).

 

if anyone sees a problem with this I would LOVE for you to point it out. I am going to go live with this pending any unknown dangers and would certainly love the input.

 

One problem is that you are not alowed to store customer cc details and even worse if you store ccv and/or visa verified/mastercard securecodes and might loose your merchant account. If your "security" system is breached you might also face criminal charges.

Edited by toyicebear
Link to comment
Share on other sites

One problem is that you are not alowed to store customer cc details and even worse if you store ccv and/or visa verified/mastercard securecodes and might loose your merchant account. If your "security" system is breached you might also face criminal charges.

I have already looked at the visa pci self assessment. to answer questions fro section 3:

 

3.1 Is sensitive cardholder data securely disposed of when no longer needed?

Yes. All data will be removed immediately when a customer chooses to terminate their subscription status.

 

3.2 Is it prohibited to store the full contents of any track from the magnetic stripe (on the back of the card, in a chip, etc.) in the database, log files, or point-of-sale products?

Not doing any card present transactions so not a problem.

 

3.3 Is it prohibited to store the card-validation code (three-digit value printed on the signature panel of a card) in the database, log files, or point-of-sale products?

Yes. It will never be stored, even temorarily.

 

3.4 Are all but the last four digits of the account number masked when displaying cardholder data?

Yes, the full number will never be displayed, either to me or the customer.

 

3.5 Are account numbers (in databases, logs, files, backup media, etc.) stored securely? for example, by means of encryption or truncation?

As I said in the first post, numbers will be fully 3DES encrypted with the initialization vector not being stored on the network.

 

3.6 Are account numbers sanitized before being logged in the audit log?

No account numbers are being logged.

 

Furthermore the each key for each card number is also now being randomly generated as a 128byte string using random ascii chars 31-255 giving 1.325083269986333e+474 possibilities and again, not being stored with the initialization vector, and neither being stored on the shared hosting service. so the only thing being stored on the shared service is the actual 3DES encrypted card data itself.

 

as I said before, the bottom line is that I WILL have to store the card data, either online or offline. Offline presents a whole new host of problems, such as how to get the card number from the customer to myself securely, and of course again creates an even bigger single point of failure.

 

any other thoughts?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...