[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [ebxml-dev] ebXML security for Credit Cards
Hi David, This is a classic requirement for having security beyond data storage. Apart from data encryption, there would be a need to do the following: 1. Provide access control mechanism at content level that will decide who can read/write/browse what. 2. Based on the user, performing the operation, the access control can be verified and so allowed/denied to manipulate the data. If you use a relational database system for storing the purchase order information, you would need to build this access control in your application. I assume you have a user security database already in place for handling user authentication, otherwise all this is meaningless. I may not have answered your questions, but hope this provides some ideas. regards, -ranjeet > -----Original Message----- > From: David Lyon [mailto:david.lyon@globaltradedesk.com] > Sent: Thursday, April 11, 2002 10:16 PM > To: Ebxml-Dev (E-mail) > Subject: Re: [ebxml-dev] ebXML security for Credit Cards > > > > Heres a security question that I've had from one of my > developers and it is > in regards to the storage of Credit Card numbers. > > We have an application that generates X.12/ebXML Purchase > Orders with Credit > Card numbers. The app actually runs off a CDR business card > and is given out > to Customers at the front counter in retail shops. They take > the CDR card > home, stick it in their computer and make a purchase. > > Now when the Purchase Order is sent, it goes over the Net it > goes by SSL so > it is sent in an encrypted form. > > When it lands at the destination it is then decrypted and > stored in plain > but text. The credit card numbers are encrypted. It looks like this: > > <Payment Details> > Payment_Date=12-Apr-02 > Payment_Amount=588.7 > TP="Qm6ItCIKhGZxKg==B" > CD="y8bcHcDcxp1IhToMtWD6PhSuaQ==" > XP="Pj3L9g==" > </Payment Details> > > which after decryption would be: > > <Payment Details> > Payment_Date=12-Apr-02 > Payment_Amount=588.7 > TP="Visa" > CD="4557012301230123" > XP="0606" > </Payment Details> > > This version immediatly above is never stored. It's always in > the first > format. > > My two questions are: > > 1) Is this method safe enough for general consumption and > if not what > would need to be done to make it secure ? > > 2) Where is a safe place generally speaking to store > encryption keys ? > > I know that many inhouse systems at the moment keep credit > card details in > plain text in a Customer database, but our system needs to be > a few steps up > from that. > > Any suggestions welcomed > > David Lyon > Global Tradedesk > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC