using m2crypto to encrypt credit card numbers

[Graham Ashton]

On Tue, 2002-06-11 at 21:12, Mark McEahern wrote:

> Also, another reason I need to store the credit card number is in the case
> of chargebacks, which don't go through the payment processor--rather, they
> go through the bank.  I don't fully understand this part, but I do believe I
> need the credit card number in order to link the chargeback to a
> transaction.

I'd forgotten all about that side of it. My only experience of
chargebacks involved banks querying fraudulent transactions (i.e.
somebody had entered somebody else's credit card into our site). It
happened a hell of a lot and cost us (my last company) an enormous
amount of developer time writing tools to combat fraud. If you get too
much fraud (I think the limit was 40% fraud by value in the UK, but my
memory is hazy) going through your site you can get your merchant ID
status revoked by the banks (i.e. you get your transaction processing
account chopped).

Anyway, the only information that the banks could give us that enabled
us to uniquely identify fraudulent transactions (so that we could refund
them) was the card number and the time the transaction was made.

This makes my idea somewhat less feasible (but you could still store
card numbers in a more tightly secured database than the one that stores
the card hashes if you could find a provider that could do recurring
charges). Sadly, I don't know of any.

-- 
Graham Ashton