[ic] Encrypted CC#'s in SQL, and CC# Identifier - Almost Done - Partial Solution

Russ Mann tech@khouse.org
Wed, 25 Apr 2001 17:49:55 -0600 

Sorry for starting this.  Within reason, there is no added risk by storing
CC#'s in PGP.  When was the last time you heard of a hacker breaking into a
firewalled linux system, and decrypting thousands of CC#'s that were PGP'd?
Obviously there is a remote possibility of security breach, but that's not
compounded by storing encrypted CC's instead of just emailing encrypted
CC's, realistically.

The whole point is this is OSS and where there's a will, there ought to be a
way to do something.
In case there are others out there who need this functionality, here's the
partial solution.  Please see below to help with additional problems.

Partial Solution, assuming you already have PGP working on your CC#'s:

In etc/log_entry:

Update userdb: [perl table=userdb]
	my $id = $Values->{username} = $Values->{customer_id};
	@always = qw/
					company
					fname
					lname
					address1
					address2
					city
					state
					zip
					country
					phone_day
					mv_shipmode
					mv_credit_card_type
					mv_credit_card_exp_month
					mv_credit_card_exp_year
					mv_credit_card_xref
					mv_credit_card_info
					email
					phone_night
					fax_order
					email_copy
					mail_list
	/;

In profiles.order under the checkout_profile:

&calc = $Values->{mv_payment} =~ s/\%c/$Values->{mv_credit_card_type}/g; 1;
&final = yes
&setcheck=mv_email [value email]

[calc]
        my $ref = $CGI->{mv_credit_card_number};

        $ref =~ s/\D+//g;
                if($ref =~ /(.*)(\d\d\d\d)/ ) {
                   my $head = $1;
                   my $tail = $2;

                   $head =~ s/\d/X/g;
                   $ref = $head.$tail;
                }
        $Values->{mv_credit_card_xref} = $ref;
        return;
[/calc]
__END__


In checkout.html
[if value mv_credit_card_info]
<tr><td colspan="2">
  <p><b>Note:</b>
  A valid <b>[value mv_credit_card_type]</b> number is on file.<br>
  If you need to change it, re-enter the number.<br>
  Otherwise, leave it blank and <b>Go To Next Step</b>.
  <p>
  The current Credit Card number can be identified by this:<br>
  <b>[value mv_credit_card_type] - Expires: [value
mv_credit_card_exp_month]/[value mv_credit_card_exp_year] - CC#
Identifier:[value mv_credit_card_xref]</b>
</td></tr>
[/if]

And of course in the userdb SQL database, add
mv_credit_card_info as text, and mv_credit_card_xref as varchar(255).




-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-
What I still don't have working is going through the checkout process and
letting IC know that the CC# is already set.  For some reason it did this
automagically in MV, but I can't seem to fool IC.  I've even displayed
[value mv_credit_card_info] on the checkout page, which comes up with the
PGP string, and it still wants another CC#.

Any ideas?

Thanks,
Russ