Well, I need to set up this eCommerce system for my cousin.

What's a secure way of storing credit card transactions? Reversible Encryption? Remote Printing? Or should I just tell him to ring the customer and ask for the details?

If he does enough business, and makes enough money... http://merchantwarehouse.com/credit_card_processing/online_credit_card_processing?cpao=142&kw=online+credit+card+processing

Something like that could be worth it?

I would recommend using a payment gateway such as Paypal, 2Checkout, etc. When messing with Credit Cards and money handling it is always better to use an outside source (in this case, a payment gateway) for it as compared to using a database and a flemsy (spelling?) server-side script.

Hope this helps.

If they get the data, then they could decrypt it as by that point they would likely have your source code too. I say just make the system secure in the first place.
The only way that encryption like that would work is if you had a key to it that only he knew. If you had a password that generated a way to decrypt it, that would be helpful.
But, still, you need to store the data securely. A database is a good idea, I think, as long as it is secure.

Hmm... How would I do a key encryption?

I really have no idea.

Well, I do, but nothing that will directly help you.

1. Code it yourself.
2. Look on PHP.net, hoping for some extension that allows this. I'm not currently aware of any functions like that, though.

1. Code it yourself.
Duh.

Just point me where to start ;)

Go through each character and base it on the password.
take the md5 of the password, add the ordinal value of the characters to the md5 hash, repeating this every 32 characters. Well, then again, that's just a credit card, so no need to repeat it.
To decrypt, just do the inverse.
Or something else. Just be creative, be sure it works every time, and make sure there's no way to fake it.
It still wouldn't be entirely secure, but it would be helpful.


EDIT:

<?php

$pass = 'test';
$num = '1234123412341234';

function encrypt($num,$pass) {
$hash = substr(md5(md5($pass)),0,16);
for($n=0;$n<16;$n++) {
$o = $num[$n]+ord($hash[$n]);
$out[$n] = $o&#37;10; //PHP PARSER ERROR: #37; should be %.
}
return implode('',$out);
}
function decrypt($num,$pass) {
$hash = substr(md5(md5($pass)),0,16);
for($n=0;$n<16;$n++) {
$o = $num[$n]-ord($hash[$n]);
$out[$n] = ($o%10)+10;
}
return implode('',$out);
}

echo $num."\n";
echo encrypt($num,$pass)."\n";
echo decrypt(encrypt($num,$pass),$pass);

?>
Tested, and that works.
Output:
1234123412341234
3058828534429011
1234123412341234

For very sensitive details (credit card numbers, security codes), just don't store them at all. Require that the user re-enters them for each new transaction. Most companies do this nowadays; it also provides some protection for the user if the account is compromised.

Sure. But you need to store them the first time, so you can actually bill the account. What would you suggest for that?

Alright. Thanks for everyone's help in this.

He's decided that he'll just call them up and ask for the credit card details; or make a transaction through PayPal (or make a direct deposit, money order, cheque, bPay whatever).

Sure. But you need to store them the first time, so you can actually bill the account. What would you suggest for that?

I am assuming you would be generating some type of invoice to make sure that the transaction was completed and payment is received. I would suggest creating a temporary table with the invoice number and the cc number of the payment... when the payment is processed you then wipe out the temporary table and update the invoice information to paid.

also, as an additional thought, while you might not want to store the entire cc, i think its pretty customary to store like the last 4 digits of the cc and the name on the card as a reference in case the claim is disputed, you have something to go on besides the fact that this invoice was paid with a "visa" or whatever type of cc.

That seems like a good idea.
Now, MySQL or PHP Flat files (chmodded so nobody can read it)?

MySQL would probably be your best bet (beings that it is in a non plain text format). The only thing you would have to worry about is having your database hacked. As for flat files, you have pretty much the risk as that of MySQL except for the fact that the files are basically plain text.

...fact that the files are basically plain text.
If I was going to store it, it'll both be using djr33's reversible encryption anyway.

You'd be better off with a mathematician-designed tried-and-tested industrial standard like AES, which is built into MySQL.

Sounds good. How do I implement/use it?

http://dev.mysql.com/doc/refman/4.1/en/encryption-functions.html#function_aes-encrypt

The key should be user-provided -- perhaps part of the user's password, or a hash of the user's password (but not the one you have stored).

Thanks for that. I'll look into it.
So, how secure is this?

Secure enough -- but as said, don't store the whole of the card number. The first four characters should be enough to identify it to the user.

I can't process the transaction with only 4 numbers :p

Last I heard we were talking:
also, as an additional thought, while you might not want to store the entire cc, i think its pretty customary to store like the last 4 digits of the cc and the name on the card as a reference in case the claim is disputed, you have something to go on besides the fact that this invoice was paid with a "visa" or whatever type of cc.You can perform the transaction before storing the card details as we originally planned.

You can perform the transaction before storing the card details as we originally planned.

Nope, I need to process a manual transaction, meaning storing the credit card details for a transaction, then deleting it.

Someone mentioned using the Payment gateway to store them, do payment gateways actually store the data? I thought they just talked to the bank? From looking at packages like OSCommerce and CubeCart I think they store the cc data in the database... But actually something I am very interested in so if anyone could shed some light???

Someone mentioned using the Payment gateway to store them, do payment gateways actually store the data? I thought they just talked to the bank?

Nah, they do an automatic transaction.