An alternative way of handling credit cards

Davidc316

Hi,
I've recently been asked to build an online shop for a local company. The only thing is... they want to be able to check for new store orders via the shop admin panel (the bit that they would normally log onto to add/delete items and so on).

Anyway, the upshot is that in order to view and process orders they are basically wanting to be able to view the order details from a webpage (as opposed to encrypted email, for instance).

So... the way that they're wanting me to do this is to have it so that when an order is placed, a text file is created with all the order details (including credit card details!) and stored in a secure server (SSL).

I've never saw any book or any website talking about this method, so I was just wondering if anyone could give me a thumbs up or a thumbs down on whether or not that would be secure.

I've been assured that the method described above is how CGI shops work (and they seem to be getting along quite happiliy). But I just need a little bit of advice with this one before I can proceed with any degree of confidence.

Thanks!

steadyguy

I'm sure there are plenty of sites that use this method (heck, Amazon.com has all my data stored in their db). Speaking of which, a db might be better than a flat file, because they're a good bit harder to get into - just be careful of SQL injections, and session hijacking. Also, you might want to alert your client to the fact that even using SSL and other security precautions, absolute security is impossible.

superwormy

Make sure that you store your text files with CC info OUTSIDE of the www/ or htdocs/ directory, so they're not accessible directly through the web server... seems obvious but worth mentioning :-)

Also, if I were you, I'd store it encrypted in a database instead ( if you can ) or at the very least just encrypted, much more secure.

Davidc316

Thanks guys.

Super, I have to admit... I'm not familiar with the concept of encrypting MySQL data. Could you provide me with a link or something so that I can learn a little more about how this is done?

Davidc316

Super- can I just add that I am aware of products like "Codelock". But my fear with something like that is that it encrypts literally everything that comes and goes from the server. Including non sensitive web pages.

That would surely slow everything down. Right?

Furthermore, with something like Codelock, the info that is stored on the MySQL database would have no encryption at all. Right?

And if that's the case, then surely it presents a security problem.

Whether or not we happen to encrypt our data as it makes its way to the MySQL database is irrelevant. The big fear here, remember, is that someone hacks into MySQL and can view all of the MySQL tables.

Have I got that right?

PS- I've got myself into a bit of a mess here and ended up talking about the same thing on two different threads. Sorry if I appear to be repeating myself.

superwormy

No idea what Codelock is... I was talkign about encrypting the data in teh files / database, not about encrypitng anythign while its in transport...

www.php.net/mcrypt
http://www.mysql.com/doc/en/Miscellaneous_functions.html