#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    113
    Rep Power
    16

    Where and how to store my Secure Key?


    What is the best practice when dealing with Secure Keys? My problem right now is my boss wants us to store credit card numbers for processing.

    I've set up a SSL site, generated my secret key and am storing everything encrypted(AES) in a database. My problem is how do i protect this secret key???? i can't just leave it sitting in plane text in the .cfm file!

    Thanks
    DSFX.
  2. #2
  3. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,286
    Rep Power
    968
    Unless you are absolutely sure you can meet the PCI compliance standards, do not store credit card numbers. Which basically means: do not store credit card numbers.

    The compliance rules are very strict are are difficult to meet without an entire team of people dedicated to ensuring compliance. Amazon has these resources. You probably do not.

    There's really few reasons to store card numbers anyway. You don't need to store them to make charges or credits. Save yourself a lot of pain and potential lawsuits and just don't do this.
  4. #3
  5. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,286
    Rep Power
    968
    But to answer your question: yes, you have to store the key somewhere in your code, otherwise there's no way the application can encrypt or decrypt anything. Which means part of the problem is making sure that there is no way for someone to hack the site and get at the source code where the key is stored.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    113
    Rep Power
    16
    Originally Posted by kiteless
    Unless you are absolutely sure you can meet the PCI compliance standards, do not store credit card numbers. Which basically means: do not store credit card numbers.

    The compliance rules are very strict are are difficult to meet without an entire team of people dedicated to ensuring compliance. Amazon has these resources. You probably do not.

    There's really few reasons to store card numbers anyway. You don't need to store them to make charges or credits. Save yourself a lot of pain and potential lawsuits and just don't do this.
    You have no idea how happy i am to hear this! Thanks.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    113
    Rep Power
    16
    Originally Posted by dsfx
    You have no idea how happy i am to hear this! Thanks.
    On the off chance that this may help somebody there are several services that will help you collect payment and will meeting PCI compliance.

    Ben Nadel talks about stripe.com's service in this blog post. I found it very helpful and insightful.

    http://www.bennadel.com/blog/2286-Ac...ColdFusion.htm

IMN logo majestic logo threadwatch logo seochat tools logo