[Hidden-tech] Shopping cart security

Peter Hutchins peter at litmusdesigns.com
Thu Feb 21 07:10:00 EST 2008

Previous message: [Hidden-tech] Zen Cart experts?
Next message: [Hidden-tech] Shopping cart security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'd like to run a development concept past the security minded folks
out there for some critical feedback:

I'm setting up a shopping cart for a client who wants to process
credit card purchases "offline", i.e.: run the transaction through
their credit card terminal as though it were a phone order without a
web-based payment gateway or merchant account. This obviously requires
collecting and storing critical credit card data until the store owner
processes the transaction, at which point the critical data can be
deleted.

Here's my proposed solution for securely handling the data:
1. CC info is gathered in a SSL encrypted form
2. expiration data and ccv are written to a database and encrypted via
mysql's AES_ENCRYPT() (this DB is separate from the regular store DB
providing separate password protection, in case the first DB is
compromised)
3. credit card number is split into two parts, with one half being
encrypted and written to the database with the transaction above
4. the other half of the credit card number is written to a file that
is encrypted with GnuPG and emailed to the store owner (protecting it
with a Private/Public key and passphrase).
5. when the store owner gets the email, he logs into the store admin,
views the online credit card info, processes the order and deletes the
online data from the database and the email from his inbox.

- One issue I see is that the database login and encryption key for
that half of the process must be stored on the server, rendering it
vulnerable to compromise, but the other half of the CC info is still
protected.

So, my questions are:
- Is this secure "enough"?
- Is there a better way?

Thanks!
-Peter Hutchins

: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
Peter Hutchins
Litmus Designs
505 S. Albany St.
Ithaca, NY 14850
413.582.7038 voice
413.517.0596 fax
www.litmusdesigns.com

web design, custom programming & graphic design
: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20080221/a9b420d3/attachment-0005.html

Previous message: [Hidden-tech] Zen Cart experts?
Next message: [Hidden-tech] Shopping cart security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Hidden-discuss mailing list