On Thu, Apr 24, 2003 at 11:46:27PM -0700, Scott Haneda wrote:
> Can someone outline to me in as much detail as possible the best way to
> store credit card data in MySql.
One way I've heard about it to store your CC numbers pgp-encrypted
using a public key, where the private key is on a machine that is
essentially inaccessible except that other machines can ask it to
perform operations on the CC. (Perform authorizations, chargebacks,
whatever.) That machine never reveals the cc number to the client,
only the success or failure of the transactions.
Someone breaking in to a client can still cause the private machine to
manipulate its credit cards, but that's different than someone just
snarfing a million numbers and posting them to alt.sex. The private
machine can be smart enough to notice when something unusual is
happening (more captures/minute than normal) and send out alerts.
If you do need to get a cc number, you can tell the private machine to
encrypt it using some other public key that only you have the private
key for, and email you the re-encrypted number.
If you do need to search on the CCs (if you get a question about a
charge, and have only the CC), you can store hashes of the CC numbers