using m2crypto to encrypt credit card numbers

Mark McEahern marklists at mceahern.com
Tue Jun 11 22:12:00 CEST 2002


[Graham Ashton]
> I've not followed the thread, but I'm assuming that your problem is that
> you don't want to store the card number in plain text, and that if you
> encrypt and store it in a manner that will allow automatic decryption by
> your software, then a cracker who gains access to your servers will be
> able to decrypt the card numbers with ease.

That's it precisely.

> The only sensible solution to this that I've ever thought of involves
> getting the payment processor (i.e. online transaction processing
> company) to store a hash for each of your customers' credit cards.

I should have mentioned that solutions which involve getting the payment
processor to do anything different are simply not an option.  As far as I
can tell, I either store the credit card number or I can't do recurring
billing.  If you know of any payment processors that support recurring
billing, please share them.

> Consequently you wouldn't need to store the card number at all, just the
> encrypted hash. Job's a good'un; card numbers would be nicked from far
> fewer online web sites with shoddy security.

Also, another reason I need to store the credit card number is in the case
of chargebacks, which don't go through the payment processor--rather, they
go through the bank.  I don't fully understand this part, but I do believe I
need the credit card number in order to link the chargeback to a
transaction.

Thanks for your comments,

// mark

-






More information about the Python-list mailing list