Storing credit card numbers on hosted website.

Discussion in 'ASP .Net' started by John, Dec 15, 2004.

  1. John

    John Guest

    Hi,

    I've always had the opinion that you don't store credit card numbers on a
    hosted website database. But it has occurred to me, that perhaps I am over
    reacting, and encrypted CC info may be ok. Now I know basic encryption, but
    am not confident that I know what I don't know .. you know.

    Basically, am I over reacting? Is the risk level acceptable if you store
    encrypted CC numbers or not?

    Thanks in advance.
     
    John, Dec 15, 2004
    #1
    1. Advertising

  2. John,

    It's also my opinion that you don't store credit card numbers. Our smart
    client software can take payment via credit card but we do not store the
    credit card number.

    Unfortunately the person who knows all the legal bits is off until the new
    year so I can't ask him but I think he got most of his information from the
    data protection act.

    Not much help I know, sorry.
    Chris.

    "John" wrote:

    > Hi,
    >
    > I've always had the opinion that you don't store credit card numbers on a
    > hosted website database. But it has occurred to me, that perhaps I am over
    > reacting, and encrypted CC info may be ok. Now I know basic encryption, but
    > am not confident that I know what I don't know .. you know.
    >
    > Basically, am I over reacting? Is the risk level acceptable if you store
    > encrypted CC numbers or not?
    >
    > Thanks in advance.
    >
    >
    >
    >
     
    =?Utf-8?B?Q2hyaXMgUG9kbW9yZQ==?=, Dec 15, 2004
    #2
    1. Advertising

  3. John

    John Guest

    Thanks Chris,

    Maybe I will repost this in January. I'm very curious to know.

    Regards,
    John


    "Chris Podmore" <> wrote in message
    news:...
    > John,
    >
    > It's also my opinion that you don't store credit card numbers. Our smart
    > client software can take payment via credit card but we do not store the
    > credit card number.
    >
    > Unfortunately the person who knows all the legal bits is off until the new
    > year so I can't ask him but I think he got most of his information from
    > the
    > data protection act.
    >
    > Not much help I know, sorry.
    > Chris.
    >
    > "John" wrote:
    >
    >> Hi,
    >>
    >> I've always had the opinion that you don't store credit card numbers on a
    >> hosted website database. But it has occurred to me, that perhaps I am
    >> over
    >> reacting, and encrypted CC info may be ok. Now I know basic encryption,
    >> but
    >> am not confident that I know what I don't know .. you know.
    >>
    >> Basically, am I over reacting? Is the risk level acceptable if you store
    >> encrypted CC numbers or not?
    >>
    >> Thanks in advance.
    >>
    >>
    >>
    >>
     
    John, Dec 15, 2004
    #3
  4. John

    Scott Allen Guest

    It's almost impossible to keep them secure even if they are encrypted,
    because somone else has total control over the machine. Encryption
    makes it difficult - but where would you store the key to decrpyt the
    numbers?

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/

    On Wed, 15 Dec 2004 10:51:52 -0500, "John" <>
    wrote:

    >Thanks Chris,
    >
    >Maybe I will repost this in January. I'm very curious to know.
    >
    >Regards,
    >John
    >
    >
    >"Chris Podmore" <> wrote in message
    >news:...
    >> John,
    >>
    >> It's also my opinion that you don't store credit card numbers. Our smart
    >> client software can take payment via credit card but we do not store the
    >> credit card number.
    >>
    >> Unfortunately the person who knows all the legal bits is off until the new
    >> year so I can't ask him but I think he got most of his information from
    >> the
    >> data protection act.
    >>
    >> Not much help I know, sorry.
    >> Chris.
    >>
    >> "John" wrote:
    >>
    >>> Hi,
    >>>
    >>> I've always had the opinion that you don't store credit card numbers on a
    >>> hosted website database. But it has occurred to me, that perhaps I am
    >>> over
    >>> reacting, and encrypted CC info may be ok. Now I know basic encryption,
    >>> but
    >>> am not confident that I know what I don't know .. you know.
    >>>
    >>> Basically, am I over reacting? Is the risk level acceptable if you store
    >>> encrypted CC numbers or not?
    >>>
    >>> Thanks in advance.
    >>>
    >>>
    >>>
    >>>

    >
     
    Scott Allen, Dec 15, 2004
    #4
  5. John

    John Guest

    "Scott Allen" <bitmask@[nospam].fred.net> wrote in message
    news:...
    > It's almost impossible to keep them secure even if they are encrypted,
    > because somone else has total control over the machine. Encryption
    > makes it difficult - but where would you store the key to decrpyt the
    > numbers?


    I was thinking the key to decrypt would have to be entered by the user. It
    couldn't be stored. So basically, if you wanted to have an automatic
    monthly payment, somebody would need to go to the "processing" page, enter
    the key, and let the page run through all the charge transactions.

    Actually, another thing I was thinking; if you use SSL, that only secures
    the connection during transfer right? So the server has unsecure access ...
    but this would mean an unscrupulous hosting company or employee could be
    logging CC info anyway. Actually, would that information be logged
    somewhere on the server by default?

    Is that correct? If so, ecommerce /w a web-host is inherintly unsafe.

    The more I think about this better idea I think a 3rd party processing
    company is.

    Regards,
    John
     
    John, Dec 15, 2004
    #5
  6. John

    Scott Allen Guest

    >Is that correct? If so, ecommerce /w a web-host is inherintly unsafe.

    I'd think so. They have physical access to the machine and the network
    - so anything can happen.

    If the host has been around for some time and has built up a
    reputation, it might be a different case. Someone could arguably build
    a case where a host could be more secure than self hosting (their
    employees have extensive background checks, they are audited, they
    have servers in a bunker under the mountain, etc).

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/
     
    Scott Allen, Dec 15, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. redstar

    Credit card processing

    redstar, Jul 11, 2003, in forum: Perl
    Replies:
    0
    Views:
    1,034
    redstar
    Jul 11, 2003
  2. Florian Marinoiu

    Credit card integration

    Florian Marinoiu, Jul 15, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    435
  3. levon
    Replies:
    1
    Views:
    138
    Tony Bukres
    Jun 27, 2005
  4. Replies:
    3
    Views:
    346
  5. cldmismgr

    regex replace credit card numbers with *

    cldmismgr, Sep 29, 2005, in forum: Perl Misc
    Replies:
    9
    Views:
    797
    A. Sinan Unur
    Sep 29, 2005
Loading...

Share This Page