[UPHPU] Is https enough?

[Ben Reece]

1) If you're using mysql, see the aes_encrypt and aes_decrypt functions 
-- they'll do the industry standard encryption for you.  PHP has similar 
functions available as well.  I imagine 1and1 has at least one of those 
available.

2) Unless you're a cryptographer, I don't think they'd be convinced it's 
up to industry standards, esp. since proven technologies are already 
widely available.

3) I was under the impression that you were doing the transaction 
real-time.  If you're just storing the data to transact at a later time, 
you'd have to do your transactions without the vcode, I reckon.  The 
vcode generally isn't required, but you'll usually get lower transaction 
costs if you use it.

4) The great thing about having the standards is that if you do get 
credit card data stolen from you, you can probably recover from it since 
you have been following industry best practices.  If you're hacked and 
haven't been following the best practices, you're in for it.

Ben


Webot Graphics wrote:
> 1) If I plan to use 1and1.com for hosting, do they offer an encrypted db?
>
> 2) can you make up some custom code
>
> example ---
> real card
> 1234 5678 9012 3456
>
> could be stored as
> 5678 1234 3456 9012
>
> 3) The pdf says you can't store the vcode anywhere, but how do you 
> keep it long enough for accounting to process it?
>
> 4) We had 1.22 million dollars in sales last year, so we fit the 
> "millions of dollars per year" category, and though we still act like 
> a small business (see website), we are reaching a point at which 
> security could become a real threat.
>
> Justin Giboney
>
>
> On Jun 13, 2007, at 4:55 PM, Ben Reece wrote:
>
>> https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
>
>
> _______________________________________________
>
> UPHPU mailing list
> UPHPU at uphpu.org
> http://uphpu.org/mailman/listinfo/uphpu
> IRC: #uphpu on irc.freenode.net