using m2crypto to encrypt credit card numbers
marklists at mceahern.com
Tue Jun 11 22:12:00 CEST 2002
> I've not followed the thread, but I'm assuming that your problem is that
> you don't want to store the card number in plain text, and that if you
> encrypt and store it in a manner that will allow automatic decryption by
> your software, then a cracker who gains access to your servers will be
> able to decrypt the card numbers with ease.
That's it precisely.
> The only sensible solution to this that I've ever thought of involves
> getting the payment processor (i.e. online transaction processing
> company) to store a hash for each of your customers' credit cards.
I should have mentioned that solutions which involve getting the payment
processor to do anything different are simply not an option. As far as I
can tell, I either store the credit card number or I can't do recurring
billing. If you know of any payment processors that support recurring
billing, please share them.
> Consequently you wouldn't need to store the card number at all, just the
> encrypted hash. Job's a good'un; card numbers would be nicked from far
> fewer online web sites with shoddy security.
Also, another reason I need to store the credit card number is in the case
of chargebacks, which don't go through the payment processor--rather, they
go through the bank. I don't fully understand this part, but I do believe I
need the credit card number in order to link the chargeback to a
Thanks for your comments,
More information about the Python-list