|
Hi,
I want to know how can encrypt data such as credit card before saving it into MySQL and I should be able to retieve it (Decrypt) whenever it's required?
Thnaks
Technology News @ www.JassimRahma.com
|
|
|
|
|
Jassim Rahma wrote: I want to know how can encrypt data such as credit card before saving it into MySQL and I should be able to retieve it (Decrypt) whenever it's required?
Please don't store credit card information and do have a look at PCI SSC Data Security Standards[^]
Best regards
Espen Harlinn
|
|
|
|
|
I read the other post, which says to never store credit card numbers on your server.
I thought about the subject, and don't find a difference in storing a token number to use a credit card number on a payment gateway server versus just storing the credit card number.
The trick is to never expose the number, only display cloaked numbers.
But try to use at least 256 bit encryption if you can, and choose a type that is supported by c++, .net and so forth, in case you need to encrypt and decrypt in other operating systems in the windows family.
Be careful now, the world will be on your shoulders.
.NET Encryption Simplified[^]
This one is better
Encryption/Decryption Function in .NET using the TripleDESCryptoServiceProvider Class[^]
|
|
|
|
|
jkirkerx wrote: don't find a difference in storing a token number to use a credit card number on a payment gateway server versus just storing the credit card number.
One of the differences is that the payment gateway has probably been through a thorough Q&A procedure. Another is that it's usually the provider of the payment gateway that carries the resposibility if anything goes wrong, as you usually redirect the user to a site operated by the vendor of the payment gateway to perform all operations related to online payment by credit card ...
Now, if you encrypt the data, how do you handle the key? If you look at the OWASP Top 10 for 2010, 'Insecure Cryptographic Storage' ranks as the 7th most common security related error.
|
|
|
|
|
I get payment gateway vendors calling me every week to use there services. They claim to pay for my PCI testing, but in return, I have to shift all of my customers to their service.
The ultimate problem is where to store the keys. If you store the keys where an IT employee can gain access to them, then you have a breech in security, and that employee can turn on you and sell the keys and the data.
I'll read the link you attached.
I've been thinking about it for years now.
|
|
|
|
|
jkirkerx wrote: I have to shift all of my customers to their service
Not really, they should handle only the operations related to the monetary transaction, and never touching the credit card info of your customers protects you from potential slander too.
jkirkerx wrote: If you store the keys
If you do that, you really have to be sure what you're doing. In an deal world I would not touch anybody elses certificates, or anything else that can be used to compromise the security of their system. When the sh*t hits the fan, people will be looking for scapegoats - so I do things the standard way leveraging the capabilities provided by the platform that can be configured using tools provided by the platform vendor.
|
|
|
|
|
I'm not joking about the payment gateway vendors here in the US.
In the beginning, about the year 2006, one company in Denver Colorado offered the token service.
I wanted to write for Chase Payment Tech, but JP Morgan cut a deal with a company in Denver to give them all the gateway business, but in exchange, you had to use their token system. They wanted my company to pay them a huge fee to use the system ($7500.00 USD), plus change my software to a single payment gateway solution.
I did some digging, and found the API for Orbital-Salem and Tampa, and a sandbox yo test against, and was able to write my code for Payment Tech.
In about the year 2010, I started getting calls from these small payment gateway start ups. Same scenario, but they claimed to pay for everything. But the terms of agreement were identical.
In the year 2011, I started getting calls every Friday morning, from various payment gateway companies offering the same exact service with the same exact terms, after a couple of months, they kept calling and starting threatening me with terrible scenarios.
I've come to the conclusion that someone out there wrote a token system for payment gateways, and sold hundreds of copies of the program to cash in on the credit card processing market.
Overall when considering the trade off, with morality as the focal point, I don't want to get locked into their system, locked in to monthly fee's being raised every 6 months, out of control AVS look up surcharges, Batch Capture surcharges, to the point where the normal service fee of $20.00 a month goes to $150 a month. - And then I'm trapped and I can't leave them, because my application is dependent on them.
I'm not looking at this from just a programming point of view, or the theory of practical security, shifting responsibility or blame up the ladder. I see the whole picture in play here.
I can see me getting blamed for not protecting the tokens and it all comes back on me.
I respect your opinion, and overall in theory it makes pure sense, and is the logical choice of course, but then the morality of people come into play here.
I like your website, nice and clean.
|
|
|
|
|
jkirkerx wrote: then the morality of people come into play here
Money, morality - those are words you seldom see mentioned in the same sentence.
I've implemented 'real security' three times in my life - I think the stuff I did works as it's supposed to, but that's the only pieces of code I've written that I've ever been really nervous about.
jkirkerx wrote: I like your website, nice and clean.
Thank you, I think it needs a brush-up to look modern, and lately a few pages doesn't work as they are supposed to. I looked long and hard at a prize winning site when I built it, and I guess I borrowed more than a few ideas.
As for your conclusions, you are probably right.
|
|
|
|
|
Well thanks!
You lit my fire today, and hit the torture button on me.
After reading Jasmines comment,
I was wondering who's drinking the red or blue kool-aid. (Kool-aid is a powdered drink for kids that comes in various colors and flavors, with a reference to Morpheus and the red or blue pill).
I wrote my eCommerce App, sweated out the credit card encryption and security for years, had numerous conversations on the subject. And the question I always ask myself, are they really that much better than me, or is it just talk and aggressive persuasion, projecting pure confidence on the subject as if I'm a moron, yet they did the minimum required to protect sensitive or personal information.
Perhaps it's like stealing money, you can rob it from the cash draw, skim it, rob a bank, counterfeit it, swindle it, create digital counterfeit currency, steal it electronically, and it just goes on and on, limited only by the imagination.
Espen Harlinn wrote: I've implemented 'real security' three times in my life
When our time comes and we pass on, we may never know the answer. Your a sharp guy, I'm sure you thought it through.
Alright, this is a dead horse for me, and I'm not going to beat it with my stick anymore.
To close, the answer I always got back was the same, - people will hack the path of least resistance. - Joe Maloney
|
|
|
|
|
jkirkerx wrote: I always ask myself, are they really that much better than me
Probably not, but if they go wrong you are not to blame.
When you have access to peoples credit card information, a lot of people can do you a lot of harm, even if you did nothing wrong - just by pure slander.
jkirkerx wrote: I'm sure you thought it through
That's when you realise all the stuff that can go wrong.
|
|
|
|
|
The difference is, the token authorizes a certain thing, like a one-time payment, on a particular card. The card number itself authorizes almost anything you want to do. So, the token protects both parties.
For PCI compliance you CAN NOT store the CC NUMBER. You must obtain a token from the authorizing service and you must use that. Some tokens are one-time usage, but others may be stored to authorize monthly payments for example. You may store and display the "LAST 4" of the credit card number to help the user identify which account is being used.
|
|
|
|
|
Right
|
|
|
|
|
Dear All,
I am facing this problem when accessing ASP.net Web Site Administration Tool. If I put my website in C: then this ASP.net Web Site Administration Tool work good but when I try to open it for website located somewhere else in my Hard Disk then it gives me above mentioned error.
Please Help
Thanks in advance
Adi
|
|
|
|
|
I have added the AutoCompleteExtender feature for a text box in a user control. I have used the user control in a page. The AutoCompleteExtender feature is not working for very first time. Can some one help me on this.
|
|
|
|
|
I have added the AutoCompleteExtender feature for a text box in a user control. I have used the user control in a page. The AutoCompleteExtender feature is not working for very first time. Can some one help me on this. More over I'm new to .net
|
|
|
|
|
A page P contain user control U . That user control U contains a timer T . When the timer T tick event occurs then the page P is flickered during scroling of the Page P.
Any solution to stop this page flickering.
Timer T tick every 8 seconds.
|
|
|
|
|
|
How can we start and stop ajax timer control using javascript or jquery... any views..
|
|
|
|
|
function startTimer()
{
var timer = $find("<%=ajaxTimer.ClientID%>")
timer._startTimer();
}
function stopTimer()
{
var timer = $find("<%=ajaxTimer.ClientID%>")
timer._stopTimer();
}
The above code assuming that you have an AJAX Timer control on the page named ajaxTimer.
Maulik Dusara
Sr. Sofware Engineer
|
|
|
|
|
i have already used .. in this .... when the page is loaded i stopped the timer using the same function stopTimer().... at that time the timer is stopped and no flickering in the page..
But in some event when i start the timer using the same method () .. startTimer().. the Timer start...
But when i tried to stop the timer during the page scrolling event .. the timer didn't stop and Page flickering occurs every 8 seconds.. as i set the timer interval to 8 second....
Thanks for your response....
Please give some more ideas....
|
|
|
|
|
Binjour,
comment je regle un menu deroulant dans une application web asp .Net, un menu lorsque je passe la souris dessus, un sous menu apparait, et merci
|
|
|
|
|
This is an English language web site, not French. If you expect to get an answer at least have the courtesy to run your question through a translation tool before posting.
Il s'agit d'un site Web en langue anglaise, pas le français. Si vous prévoyez d'obtenir une réponse au moins avoir la courtoisie de faire fonctionner votre question à travers un outil de traduction avant de poster.
"If you think it's expensive to hire a professional to do the job, wait until you hire an amateur." Red Adair.
nils illegitimus carborundum
me, me, me
|
|
|
|
|
In addition to being in the wrong language, this question is really too general to answer. There's a thousand techniques for creating drop-down menus with sub-menus. You need to decide one of those techniques and attempt to implement it. If you have trouble getting it to work, come and ask questions.
|
|
|
|
|
Good Day,
I am IT Programming graduate with MCPD and MCTS qualifications . I have been looking for an entry role since i graduated and recently i have been offered an internship. I have to start on 2013/04/06.
I am glad that this is the chance to unfold my career.
The language that i will be using is C#,HTML,SP.net and SQL. i have been told that i will start by designing the forms according to business rule or clients requirements.
Can you please give me some tips in order for me to succeed in my Internship?
Below is my questions;
1.How do i succeed to be came a good candidate?
2.What is that i have to do?
3.How do i design good forms(provide with URL)?
4.Which website must i use for me to do research?
Thanks for your help..
sitholimela
|
|
|
|
|
Do not cross-post!!!
1: To succeed: you have 2 ears and one mouth. Keep your ears open and your mouth closed and you'll go far.
2: Read 1 again and follow the instruction.
3: Read and understand the requirement.
4: You're already there.
"If you think it's expensive to hire a professional to do the job, wait until you hire an amateur." Red Adair.
nils illegitimus carborundum
me, me, me
|
|
|
|
|