PDA

View Full Version : Encrypting Credit Card Numbers



N00bTube
12-01-2010, 12:25 PM
I ask this question here as Adobe Forms can use JS

Is there a way of encrypting credit card numbers inserted on an Adobe Form, that can be decrypted only by having the correct 'key' at the authorised receiving end?

djr33
12-01-2010, 05:55 PM
Not really. At least I would strongly recommend against it. There are a few reasons for this:
1. Your (anyone's) encryption algorithm will be bad. There's no way around that. You have to assume that someone out there is better at encryption than you are and can hack it and steal all the information. You may be able to stop some/most people but in the end someone will figure it out and you'll have big problems-- not worth it. Of course if you hire a security/encryption expert, you might find a reliable way, but it's something that you need to devote time and money to develop and maintain to make sure it's still secure.

2. There are existing ways to deal with credit cards. The best one is to not deal with them at all and use a service like paypal or google checkout so that you aren't responsible for protecting the information. (Of course there's a service charge, but that's worth it for a small business). If not, there's lots of e-commerce software and some must have credit card systems built in. But the key is that if you're using personal data (even names and addresses, but of course credit cards) you should use a secure connection, over SSL. That is, use "https" instead of "http". You'll need to configure this on your server and probably pay for a certificate, but that's the standard and this way you don't need to encrypt the numbers because everything is already secure.

3. Any algorithm that can encrypt can be reverse engineered to decrypt (assuming it's not a one way algorithm like a those that create hash strings, such as md5, but that would be useless because you eventually need to receive the info). A key will help, but only if the key is not available to the public. And it must be in order for you to store it and have the user encrypt it using that key. You could try a complex system to get around it, but it's probably going to make things too difficult.

N00bTube
12-02-2010, 10:25 AM
Thanks for the detailed explanation, I couldn’t have put it better myself!

..no seriously you have given your reply some thought. I guess where it possible in a secure way it would have been done by now, thanks again :)