From an html form in https:// url save the credit card data in a mysql database table

[leonidassavvides]

Can you tell me the code tricks involved in :
From an html form in https:// url save the credit card data in a mysql database table SECURELY ? Then retreive them securely at https:// url ?
I know all the code to store data, and retreive from DB/TABLE but I do not know the secure tricks ... for this .

[boogyman]

my suggestion is to NOT store sensitive information like that in a database, however if you do, I would suggest that you encrypt the data so that if the database was compromised the information stored in it wouldn't also be compromised

[leonidassavvides]

companies accept credit card data , what do ? As I say, I know all the code to store data, and retreive from DB/TABLE but I do not know the secure tricks like encryption work , in what stage, and how to implement...? can you give some sample segments of code ?

[djr33]

We've had long discussions on this question.

The end result is that you really can't store the numbers securely.

Imagine your database as a very secure safe in your house. Imagine your house being the server.

Sure, if they break into the safe it the encrypted data won't be readable to them, but you forget that they're already in your house, where you store the method you used to encrypt them.

The only way that encryption works is to have the key to the encryption and the encrypted value separate. If they have both, then it's no challenge for the hacker to steal it.

Anyway, there are a number of ways to encrypt something, but no ways to protect the data/method from the hacker if they're on the same server. (If your database is on another server it's a little more secure, but that can be accessed from the main server, so they still only need to break one. If they just broke into the database, I suppose it would stay secure.)

Here's a conversation we had a while ago. You might find it helpful.
http://www.dynamicdrive.com/forums/s...ad.php?t=23000
Peter [tech_support] and I took some of those ideas and expanded on them, eventually coming up with some concepts for a possibly secure system. However, it was still incredibly difficult (we never did finish it), and only as secure as its weakest link.

[thetestingsite]

Something else worth noting is that you need to comply with PCI regulations in order to save sensitive data like this. More info can be found here: http://www.pcicomplianceguide.org/

Hope this helps.