Where and how to store my Secure Key?

What is the best practice when dealing with Secure Keys? My problem right now is my boss wants us to store credit card numbers for processing.

I've set up a SSL site, generated my secret key and am storing everything encrypted(AES) in a database. My problem is how do i protect this secret key???? i can't just leave it sitting in plane text in the .cfm file!

Thanks
DSFX.

Unless you are absolutely sure you can meet the PCI compliance standards, do not store credit card numbers. Which basically means: do not store credit card numbers.

The compliance rules are very strict are are difficult to meet without an entire team of people dedicated to ensuring compliance. Amazon has these resources. You probably do not.

There's really few reasons to store card numbers anyway. You don't need to store them to make charges or credits. Save yourself a lot of pain and potential lawsuits and just don't do this.

But to answer your question: yes, you have to store the key somewhere in your code, otherwise there's no way the application can encrypt or decrypt anything. Which means part of the problem is making sure that there is no way for someone to hack the site and get at the source code where the key is stored.

You have no idea how happy i am to hear this! Thanks.

On the off chance that this may help somebody there are several services that will help you collect payment and will meeting PCI compliance.

Ben Nadel talks about stripe.com's service in this blog post. I found it very helpful and insightful.

http://www.bennadel.com/blog/2286-A...-ColdFusion.htm