in reply to Re: Credit Card Billing
in thread Credit Card Billing

Hi All,

thanks so much for the responses

The way I was thinking was to store the cc numbers in an sql database.

If the encrypt/decrypt key was stored in the perl script, and then the script were to be compiled using perlcc or such, would that be secure? Or would it still be the best option to just enter the encrypt key manually whenever i deal with the cc numbers, i know that method would be very secure

Thanks

Replies are listed 'Best First'.
Re: Re: Re: Credit Card Billing
by kschwab (Vicar) on Jan 05, 2002 at 21:33 UTC
    Obfuscating the key using perlcc is not the answer. The only setup I have seen that seems remotely comforting is a multi-tier design where the box that has the keys is running no services, and can only be passed transactions. (i.e, it can't be queried).

    Something like:

    
Internet =====> Firewall ===> 
        DMZ Web Server ==> Firewall ==> 
               Seriously Locked Down CC Processer
    The 'CC Processer' box should be running no services at all, and listening on only one socket. This socket should accept inbound transactions and return an ack/nack, and nothing else. This would mean that administration, key changes, logging in, etc, would have to be done at the console. The web server should only have CC number while they are in transit, and should never write them to disk.

    The folks at VISA have a pretty decent summary of what should be done to protect machines with CC data. ( It's a bit lacking on implementation details, but still good.) See: The VISA CISP Tech Info page.

[reply]
      I like the idea of single serial cable with only write access (no read) to the CC Processor and that the CC Processor is not on the network.

      Also some care should probably be taken that any variables used to store the CC info en route from CGI app to CC Processor should be nullified after the CC info has been passed along. If someone breaks into your webserver and gets root they could dump memory to core and possibly pick up CC numbers that way. Something to think about.

      metadoktor

      "The doktor is in."

[reply]

In Section Seekers of Perl Wisdom