Security Questions

Forum Moderators: phranque

Message Too Old, No Replies

Security Questions

need to take credit cards with 128 bit encryption

monolift

3:56 pm on Jun 28, 2002 (gmt 0)

I have a client that needs to be able to take credit cards with 128 bit encryption.

We're looking for the most simple solution here - they don't need to do any processing online because orders will be directed to 18 different franchise locations for processing.

I do, however, need to figure out how to send this sensitive info in a secure way. Is it possible to send it securely through email or is a database the only way?

DaveAtIFG

3:36 pm on Jul 1, 2002 (gmt 0)

There's a discussion here [webmasterworld.com] that may provide some insight. Can anyone offer additional comments?

stlouislouis

5:25 pm on Jul 1, 2002 (gmt 0)

Hi,

I'm no expert on this stuff, but two things come to mind
you may want to consider. Maybe doing a secure
copy (i.e. scp in unix) file transfer or other type
of "secure FTP".

One can use PGP to encrypt the data, then send over
whatever unsecure channel you want, making sure
the person at the other side checks the hash to be
sure the data wasn't modified. Folks use PGP like
this to send encrypted messages via e-mail.

Basically, AFAIK there are two approaches. First,
you can have an encrypted "channel/pipe" you send
a message through that others can't read. Second,
you encrypt the data transmitted -- and don't care
if the "channel/pipe" is encrypted.

Whatever one chooses of course, both the sender and recipient
simply need a step by step procedure to encrypt/decrypt
the data in an automated fashion.

Hope something in the above is helpful.

Best wishes,

Louis

Crazy_Fool

10:48 am on Jul 2, 2002 (gmt 0)

i'd say online processing would be the easiest and best solution. once the transaction has been processed online, a confirmation email with full order details can be automatically sent to the appropriate franchise. why make life difficult?

monolift

5:33 pm on Jul 2, 2002 (gmt 0)

How would you guarantee the security of the confirmation email?

Crazy_Fool

8:22 pm on Jul 2, 2002 (gmt 0)

would you NEED the confirmation emails to be secure? there wouldn't be any credit card details in them, just customer details and order details. (no need for you to handle transmission and storage of any card numbers or anything else). you'll know the orders have come through the payment system by the From address.

monolift

8:33 pm on Jul 2, 2002 (gmt 0)

That makes sense.

I guess I will have to store the credit card infon in a database until the franchise is able to retrieve it. The confirmation can stay the same.

Crazy_Fool

11:04 pm on Jul 2, 2002 (gmt 0)

why not use a card processing company? no need for any secure storage, no need for each franchise to process everything manually, so much easier to set up and deal with. using a card processing company can give you full automation and it doesn't cost much. why make life difficult?

monolift

11:18 pm on Jul 2, 2002 (gmt 0)

The problem with that is that each franchise has it's own merchant account. If we wanted each to have their orders processed, we would have to set up 17 different accounts with a 3rd party provider.

Crazy_Fool

7:20 am on Jul 3, 2002 (gmt 0)

but would you? why not have one online card processing account and just transfer funds once a week or once a month?

even if you were to set up 17 online processing accounts it'll still make life easier than having to store and transmit card numbers with 17 PGP keys.