credit card encryption in database

[suba]

Is there a way to encrypt the CC# in the database? My concern is that the web host employees can access the database and thus could read the CC info there as it's not encrypted?

[michael_s]

Not if you are using the default credit card module. You will need to use something like the GPG encryption mod, or a real payment gateway. You can set it to split the card number in half, mailing part to you, storing the other part in the db, but don't fool yourself, that hardly qualifies as secure.

I recommend NEVER using the default credit card module included with osCommerce. It is not secure.

[suba]

Hmm, I agree that the default is not to be trusted. But won't using the GPG mod require offline processing? Is there a way to do online processing (i.e not involving email) for sites that have SSL but having the CC# encrypted in the database?

[michael_s]

Suba, even the default CC module requires offline processing.

If you want to use realtime processing you need to use one of the other payment gateways, like authorizenet. Those do not store the CC# in the db. And, if you do realtime processing, there is not a need to store the CC# in the db. I don't know of any mods that allow both realtime processing and storage of the number.

[suba]

I don't mean realtime, just online. ie. I use edit order (I think it's a mod?) to print out the actual order which includes all the information including CC#, and allows auto generation of update emails to the customer.

Now this is all secure from a transmission point of view via SSL, it's just the database storage I am concerned with. It would be nice not to have a myriad of emails floating around as they are hard to keep track of, whereas the database is compact, easy to backup/seach/index.

If I install GPG will I lose the ability to use 'edit order' to process the order as the CC info will be encrypted?

I'm guessing it'd need some sort of GPG via SSL method to work?