Encryption and security

Anon

I'm in the process of building a PHP site that is supposed to accept credit card payments over the 'net.

I know that in addition to APache and MySQL, we are going to need OpenSSL, modSSL AND a security certificate to make this all work. Are there any other elements I should be aware of?

Secondly, how do you suggest is the best, most safest way to store the data within MySQL and what are the best practices for safe PHP scripting?

Thanks for your time,
KABOOM

Anon

If you have to store any sensitive information in a database/file/anywhere please pass it through md5. The worst case scenario would be someone hacking your database and retrieving cc#'s passwords experation dates especially if they were stored as plain text... and also if the server is on an hosted enviroment and you have session support enabled and are using file storage for those sessions other users on the shared host could have access to all the information stored in the session.. which could include usernames passwords item numbers anything sensitive or non sensitve... not only is protecting your customers passwords/cc#s important but protecting the information on what they are buying.. how much of it they are buying and when they are buying it... is also important... and will prevent people from taking business from you.

$0.02

-Jon

jdaniel

Give a little more detail about what you want to do. In some cases you don't have to store the numbers on your server. You can use the CyberCash service which stores the numbers for you on their network, you simply have to pass the data in an encryted format.

But there are many options as far as storing them on your own server.

For starters, do you want to authorize and/or charge the numbers in real-time?

Jonathan

kparker

any sensitive information ...please pass it through md5

Actually, this is only a workable suggestion for things like passwords, where you never need to recover the plaintext. I can't picture any reason to store the hash of a ccard.