If ssl is being used to transfer the data over the net securely, why not take it one step further, and use the same techique to encrypt the form data, with another separate public key, which can only be decoded by the receiver with his private key.
Now you have a situation where if the "store" is on a shared server, the decoded param data is still encrypted with the store owner's public key. Now, if the store owner can trust the physical and administrative security of the shared server, he can decode his param data and do what he wants.
But if the store wants to be secure, the actual cc verification and data storage would be done on another machine. The encrypted cc data would never be decrypted completely on the shared server. Now this would allow for you to "farm out" the verification to a third party (who would have possesion of your store's private key, and be held legally liable for it's security), or you could do it on a "secure compter" at your place of business, if you knew how to setup the network.
So all that would be passed around on the network, would be pgp encrypted data, or "transaction number approved" or "transaction number disapproved".
The only thing preventing this type of security is that the main browsers (IE and Mozilla) don't support pgp encrption of form data. It has ssl, but not encryption of the form data itself. It would not be hard to implement at all.
In reply to Re: Re: Re: Re: Re: 'Restricted' data, an additional security mechanism for Perl.
by zentara
in thread 'Restricted' data, an additional security mechanism for Perl.
by pjf
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |