Best Encryption Method

Anon

Hello,

I need to encrypt sensitive data (credit card information and customer passwords) and store the encrypted data in MySQL, which I will later retrieve, decrypt, and use.

I am looking for the strongest encryption method/function available in PHP. I would really appreciate it if someone could take the time to help me out.

Thanks in advance.

mattw

Just don't do it. Ask yourself a couple questions...

Are you going to store the encrypted credit card information and the scripts to decrypt it on the same server?
If yes, don't you realize that if the server is hacked, your information might as well not be encrypted?

If you are dealing with peoples credit card data, you have a responsibility to handle it as securely as possible. In my opinion, this means that if credit card data needs to be retained (and it really only should be for recurring payments), it needs to be housed on a server that is not normally connected to the network. Said server should only connect when necessary, and even then strict controls should be in place.

Think this all sounds over the top? You won't when your server gets hacked and 10,000 customers have their credit cards stolen.

Check out this older slashdot discussion on the topic:
http://slashdot.org/article.pl?sid=01/12/25/0657209&mode=thread

Matt Wade
codewalkers.com

Anon

All certainly valid concerns. That said, however, if such a process were to be carried out, _en_cryption perhaps should still be performed on the web server, so that only encrypted data ever resides for any length of time on the web server, or makes the trip from one machine to the other. Needless to say, the web server is to be kept ignorant of the decrypt key.

PHP has native support for the mcrypt library. Obviously in this scenario you should go with some trusted (for some value of "trust") encryption standard that's supported widely enough for you to keep your options open at the other end.