[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [ebxml-dev] ebXML security for Credit Cards
Heres a security question that I've had from one of my developers and it is
in regards to the storage of Credit Card numbers.
We have an application that generates X.12/ebXML Purchase Orders with Credit
Card numbers. The app actually runs off a CDR business card and is given out
to Customers at the front counter in retail shops. They take the CDR card
home, stick it in their computer and make a purchase.
Now when the Purchase Order is sent, it goes over the Net it goes by SSL so
it is sent in an encrypted form.
When it lands at the destination it is then decrypted and stored in plain
but text. The credit card numbers are encrypted. It looks like this:
<Payment Details>
Payment_Date=12-Apr-02
Payment_Amount=588.7
TP="Qm6ItCIKhGZxKg==B"
CD="y8bcHcDcxp1IhToMtWD6PhSuaQ=="
XP="Pj3L9g=="
</Payment Details>
which after decryption would be:
<Payment Details>
Payment_Date=12-Apr-02
Payment_Amount=588.7
TP="Visa"
CD="4557012301230123"
XP="0606"
</Payment Details>
This version immediatly above is never stored. It's always in the first
format.
My two questions are:
1) Is this method safe enough for general consumption and if not what
would need to be done to make it secure ?
2) Where is a safe place generally speaking to store encryption keys ?
I know that many inhouse systems at the moment keep credit card details in
plain text in a Customer database, but our system needs to be a few steps up
from that.
Any suggestions welcomed
David Lyon
Global Tradedesk
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC