[TriLUG] Storing Credit Card Numbers

Brian Henning brian at strutmasters.com
Tue Mar 15 15:19:13 EST 2005


That sounds interesting.  My only concern there is, wouldn't that mean 
the queries are in-the-clear?  I'd much rather have the data stay 
encrypted whenever it's outside the confines of the POS terminal.  That 
way network sniffage wouldn't reveal sensitive data.  (and I'm also 
logging SQL queries for the time being, so that would be bad)

~B

Greg Brown wrote:
> You can encrypt data inside tables in mysql.  I have done this before, a 
> good while ago, and only to prove that I could do it.  A quick google 
> search produces the following:
> 
>  MySQL Reference Manual :: 12.8.2 Encryption Functions
> http://dev.mysql.com/doc/mysql/en/encryption-functions.html
> 
> MySQL Reference Manual :: 5.4.1 General Security Guidelines
> http://dev.mysql.com/doc/mysql/en/security-guidelines.html
> 
> If I had my cookbooks with me I could tell you the page numbers, but 
> there is good info in the mysql cookbook.  PHP also has some encryption 
> functions so you could do something snazzy like encrypting encrypted 
> fields if you wanted.
> 
> Greg
> 
> 
> On Mar 15, 2005, at 1:01 PM, Brian Henning wrote:
> 
>> Hi Guys,
>>   It's becoming inevitable that my employer is going to ask me to add 
>> the ability to store credit card numbers to a point-of-sale 
>> application I've been developing.  I've been steadfastly refusing to 
>> do so thus far because I don't want the security responsibility for 
>> the data...  But it's become clear that we really do need to be able 
>> to retrieve the data to do things like process RMA credits and whatnot.
>>
>> So my question is...  What encryption scheme should I be studying?  I 
>> really don't know a lot about encryption..  Here are the requirements 
>> I have for whatever method you folks suggest.
>>
>> - Easily integrated into the application as it is.  Something that 
>> could live in a MySQL field or two would be optimal.
>> - Reversable, obviously.
>> - Reasonably secure against decryption by Bad Guys.
>> - Reasonably easy to work with in Java.
>>
>> The MySQL server doesn't answer requests outside the local net, but I 
>> have to assume that there's a chance someone could get in and see the 
>> raw table data..
>>
>> So.  Suggestions?
>>
>> Thanks!
>> ~Brian
>> -- 
>> TriLUG mailing list        : 
>> http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>>
> 



More information about the TriLUG mailing list