[ic] Credit Card numbers Stored Encrypted in SQL Database - No Answer Yet

Jon Jensen jon@akopia.com
Wed, 25 Apr 2001 15:24:56 -0500 (CDT)


On Wed, 25 Apr 2001, Russ Mann wrote:

> So, correct me if I'm wrong, but because of the RH takeover, IC looses
> functionality?  There is ZERO risk involved with storing CC#'s on disk if
> they're ENCRYPTED, Which is precisely what I'm trying to do.  It worked just
> fine in MV....

It still works fine. I just did it the other day.

First, make sure all your PGP encryption is set up and working right. You
should be getting PGP encrypted card info in the order email sent to you.

Now you need to add a field for the encrypted info to your transactions
database. I called mine 'cc_info'. Make sure the field is large; in MySQL,
I used type 'text'.

Then edit etc/log_entry and etc/log_transaction. In each one, after this
tag:

[import table=transactions type=LINE continue=NOTES]

add:

cc_info: [value filter=mac name=mv_credit_card_info]

That should do it.

Keep in mind that this is only relatively secure if the secret key and
passphrase are not on a network-connected machine at all. It's perfectly
safe to encrypt the number and store it; adding one-click functionality
requires that you somehow decrypt it automatically, which is where you
open a large security hole. Leaving aside Amazon's patent claims on the
technique ...

Jon