using m2crypto to encrypt credit card numbers

[Graham Ashton]

On Tue, 2002-06-11 at 14:05, Mark McEahern wrote:

> If I don't store the credit card number, how do I send it to the payment
> processor to collect payment?

I've not followed the thread, but I'm assuming that your problem is that
you don't want to store the card number in plain text, and that if you
encrypt and store it in a manner that will allow automatic decryption by
your software, then a cracker who gains access to your servers will be
able to decrypt the card numbers with ease.

The only sensible solution to this that I've ever thought of involves
getting the payment processor (i.e. online transaction processing
company) to store a hash for each of your customers' credit cards. Then
you could send them the hash each time you want to put another
transaction on the card, and they would store the card number instead of
you (and I'm fairly confident that they have to store it anyway).

Consequently you wouldn't need to store the card number at all, just the
encrypted hash. Job's a good'un; card numbers would be nicked from far
fewer online web sites with shoddy security.

Admittedly the eggs all go in one basket, but if the payment processor
stores them all any way then all the eggs are already sat in the same
basket.

But I don't know of any companies that provide such a service. :(

And I may also have completely misread the direction of the thread from
the last post....
-- 
Graham Ashton