credit card number encrypted

[hitch]

I have a customer who wants the offline credit card module but is bent on having the digits stored on the database encrypted. is there a way to do that?

many thanks for any help.

[schoolboy]

Before you go down this road, there are several issues to consider, and you should (tactfully) advise your client of them.

These include:-

The nature of the Merchant Agreement your client has with their clearing bank/payment gateway.

Legal constraints regarding the storage of sensitive data.

Your webhost's policy on credit card data storage.

The security of the server on which this data is to be stored.

Compliance with secure data storage protocols.

Level of SSL encryption and the additional security features offered by the Certificate Issuer.

... and a few more, I'm sure.

[hitch]

Sorry i should have been clearer. Not all the digit just the standard half of them that zencart stores anyway. They want those encrypted. i've worked out a patch that allows them to delete ithese digits from the admin after processing but can i encrypt it like the cvv is stored (if stored, i dont of course )?

[Kim]

You could do that, but - encrypting them in the database will not allow you to read the numbers for processing. Decrypting them involves having a public and private key - not to mention the other things mentioned above.

This is an old article but, you might want to have your client read it - http://www.networkworld.com/news/2005/061305-pci.html

[hitch]

I have the clients site on a standard shared hosting environment. I have HTTPS activated for all transfer points of sensitive data i can think of. Isn't this generally accepted as reasonably secure? While i might be abe to get around ecrypting the credit card surely there is lots of other info that I need to be worried about if the database is indeed compromised? surely that comes down to the security of the host?

The client REALLY wants the credit card partial number in the database encrypted. what would you guys do in that situation? force them to sign up to a comprehensive payment gateway so it's not even an issue, or is it a legitamate request, Is the basic offline credit card mod generally accepted as secure and safe on the shared hosting environment i am on?

As you can tell i'm a bit of a novice in regards to this creditcard processing and security. thanks for your answers and time

[Merlinpa1969]

the partial number in the DB is of no use to anyone anyway,
so encrypting it, while doable, is not really needed.

there is no more of the card number stored in the DB then there is on ANY sales receipt that you get anywhere

[hitch]

If i was to appease this customer, how complicated is it to encrypt this feild like the cvv is (if stored)