ASP Classic doesn't have datatypes. Databases do. The Integer DataType in mySQL stores up to 11 Bytes of data, plenty large enough to handle your encryptions.

I plan to store credit card numbers on my web hosts server

That's not a good idea... have you checked your agreement with your processor? Visa/MC etc... are staunchly apposed to this and make it part of your merchant agreement.

Regarding the type; everything is Variant Type in ASP and the variant stores its values as sub types. I'm not sure that variant actually has a fixed size though. I think whats interesting is what will happen when you attempt to do large number math with a variant without explicit conversion getting in the way which could reduce your number?

I am curious to see what you get working in terms of the math.

Just don't even go there. Encryption is a lot more complex than you seem to think it is. You're setting yourself up for an absolute disaster. If a cracker comes in, they'll laugh at your simple encoding (it's not encryption), take the credit card details, and it will be you that will be liable when the lawyers get called in.

The advice that has been offered here is don't store credit card details on your server. That is very good advice. Usually the risks far outweigh the benefits. Very few online retailers store credit card details. Those that do are either stupid or have enough funds to hire a real encryption expert and properly secure their servers (that's physical security in the form of preventing anyone getting near the actual machine in person as well as technological security).

If you are going to use encryption. Use a proper tried and tested encryption algorithm, do not think you can make one up yourself; you can't. You'll be wanting to use public key encryption. You encrypt the credit card details with the public key and decrypt it with the private key which must be very well secured, certainly on a different computer, even better in a different building miles away!

I don't want to be rude, but you clearly don't know the first thing about encryption. It is a very complicated area of mathematics. Implementing it takes a very good understanding of network security as well. It's not the sort of thing you can just pick up by asking for some code samples on the Internet.

Ok, I'll give you that - I don't know much about encryption, but I didn't claim that I did know. True encryption is indeed very complicated, but I have to do something to make my new system e-commerce ready and also keep it very flexible.

What I was trying to accomplish is the following:

1. Store CC numbers on my web host's server and have them readily available for each transaction. Users should not have to enter it more than once, and the transactions would happen in the background, so it would be completely transparent to them in the first place. Because of that, I have to store the numbers somewhere and have full access to them so that they can be reused over, and over again.
My web host said that security is their top priority and that lots of their customers store CC numbers on their servers without any issues.

2. In case a hacker got access to the database, I wanted to make it more difficult to decypher the real CC numbers. He would also have to know the 12 different encoding keys that disguised the original numbers, and he would also have to know the types and order of arithmetic performed. In other words, he would have to both have access to the database and the web pages that contain the keys (otherwise it would be difficult to get any use out of the unrecognizable numbers). Maybe it's not that great of a solution, but at least it makes it somewhat harder to do damage.

Since I'm truly not a security and encryption expert, and since you suggested I don't store the CC numbers on my server, then what should I do instead?

The problem is that I don't think that any payment processing company will give me enough flexibility... They'll also probably charge me a lot of money for their services and database storage...
I'm starting this whole thing with truly no capital at all - just an idea that I believe will make the web system I'm working on very successful.

Thanks,

NB

They'll also probably charge me a lot of money for their services and database storage...

You're going to pay a transaction fee just like you would if you swiped the card manually. I know you want to make it easy on your customers but that comes with a lot of risk. The nice thing about going through a payment gateway is the elimination of liability on your part. Your merchant agreement says that you agree not to persist credit card numbers in a database. You give them the card number and dollar amount and they give you an approval code.

No host sets out to be unsecure but in most hosting environments those database servers are directly connected to the internet with many other users that you should not trust.

I was logged into a web host account last month doing some database work on a shared server for a client and I was actually able to access DTS packages for all of the other shared users. One package had an Active X Script Task which contained code for a file-less DSN. The username, password, database name and location were completely exposed to me and it wasn't my database.

then what should I do instead

I use PayPal for all my credit card transactions.

No purchases, no monthly fees, reasonable transaction fees, good support.

Thanks for the replies. This topic started as a programming issue, and it seems it turned into an e-commerce issue. Because of that - and because I have more questions - I will soon post a new thread in the e-commerce section. I hope you guys can join me there.

Thanks,

NB