Credit Card details Encryption with PGP

Hi Friends

Can anyone give some ideas about the PGP with credit card details encryption.

Thanks

Sujith PV

Before talking about PGP... Its NOT at all advisable to store credit card numbers. In some countries its illegal too. But you can store the last 4 digits of the card.

If you can explain why you need it may be we can come up with better solutions. I have worked with lto of payent gateways for UK and India. ;) I can help you.

Hi Shobhan

Actually why i need to store is that this is processed only after a period lets say one week automatically.

So before we accept we tells or narrate this situation. Also we will remove it after one week from the database.

We are planning something like , storing the same for a  short span and processing the same and removing from the database.

So we thought of how securely we should store the same.

I would suggest you to check all possible rules before storing credit card numbers and their CVV code.

Because if something goes wrong you will be punished bg time. But still you can check out this http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx if you are storing it fr a short time.

Alternatively you can check this question in SO http://stackoverflow.com/questions/206438/storing-credit-card-details

As shoban said, it is a BAD practise to store CC details. Because if your systems hacked, your gone.

I don't know about the legal side of this topic.

For encryption, you can use AES 128-Bit encryption. Here the question is, How we can store the key.

The answer is, you can store it in the app.config/web.config file and let the settings section be encrypted as described in the below link

http://msdn.microsoft.com/en-us/magazine/cc164054.aspx

Hi guys

Thanks for your replies.Actually i have seen few couple of reservation sites UK based(example for restaurants) where they asks for the credit card details and clearly mentions that it will be processed later and is temporarily held in our system and removed later. They states that this is made secure using PGP.

Actually i was unaware of the legal issues behind the same. Thanks guys. But just know how they implement the same.Actually i'm having a similar scenario.

Regards

Sujith

Hi Sujith

UK is very strict about credit cards. You can store cards but as I said you have to be very very careful with it and you should not store the cards more than the time required. Which payment provider are you using? BT Buynet or TLG's SolveSE?

About the legal isue. Read this https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml (PCI DSS).

It surprises me when you said you are not aware ;) . letme tellhow serious it is... if you are not following proper guidelines from PCI DSS you and your employer can go to jail ;-)

Hi Shobhan

Thanks for your information.

Actually its not been comissioned  it.When i saw some requirements like this i was thinking about the implementation of the same.Thats how i supposed to put this for a discussion forum.Anyway really thank you guys for providing the right informations :-)

Regards

Sujith PV

I strongly recommend going for BTBuynet which is very easy to implement. They have a very good customer support.

I ahve worked with many payment gateways in India and UK (ICICI, mChek, BTBuynet, SolveSE..) so if you need any help let me know.

All the best.

Hi Sujith ,

Last 3 years I am working on  E-com in Microsoft and I have dealt with Payment gateways of North America ,LatAM,Emea, China and Korea.With that knowledge i can give you some pointers 

First of all you should be PCI Complaint (Payment Card Industry) .This is a standard now a days.None of the code which we write will not go to production if it is not PCI complaint.

Overview

The Payment Card Industry Data Security Standard or PCI DSS levies requirements on credit card merchants to safeguard consumers' credit information from malicious behaviour from identity thieves. The payment card industry providers such as VISA, MasterCard and American Express are now enforcing PCI compliance. Non-compliance can result in fines, restrictions or possibly permanent expulsion from card acceptance programs. If your business depends on accepting credit cards, then you have no choice than to become PCI compliant.

The new Payment Card Industry (PCI) data security standards are network security and business practice guidelines developed by Visa, MasterCard, American Express and Discover Card. They were developed to establish a 'minimum security standard' with regards to the protection of cardholders' account and transaction information.

What are PCI DSS requirements?

The PCI Data Security Standard represents a common set of industry tools and measurements to help merchants and credit card processors that store, process or transmit cardholder data ensure the safe handling of sensitive cardholder information. The standard provides an actionable framework for developing a robust account data security process that includes preventing, detecting and reacting to security incidents.

What are the benefits of working with a PCI Compliant Service Provider?

By working with a PCI compliance service provider you can ensure that cardholder account data being processed across your technical environment is protected. PCI DSS protects cardholders and minimizes the risk to your business. The main benefits of implementing the PCI CSS for your organization and working with a provider that is compliant are: - Protecting customer personal data - Increasing customer trust by demonstrating your commitment to the security of their personal information - Protecting your business from financial penalties - Leveraging a hosting provider's existing PCI DSS compliancy investment i.e. your technical infrastructure resides in a data centre that has already been audited - Potential savings starting at $100,000 in capital expenditures by outsourcing to a managed service provider that is PCI compliant

Who has to comply?

- The credit card companies have made it clear that ANY entity that stores, processes, or transmits cardholder data regardless of their transaction volume, are required to comply with the PCI requirements. Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs. Recent studies on financial fraud have indicated that hackers are increasingly targeting small, commercial Web sites, increasing the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).

What do I need to do to meet the PCI standards?

The PCI standard comprises two basic steps: 1. Pass quarterly remote vulnerability scans conducted by a Visa and MasterCard "Qualified Independent Scan Vendor". Scans are required for all Internet connection points whether they are office networks or home/office connections (dial-up, DSL, cable or wireless) or permanent Internet servers such as your web site and email server, etc. 2. Successful completion of a security self-assessment questionnaire. The self assessment questionnaire asks specific questions about your internal security practices, both on your web site and in your office.

For e-commerce sites that involve online credit card payments, this PCI DSS certification will provide greater security features for business and customers. PCI compliance service providers assure that your confidential data is totally protected. 

https://www.pcisecuritystandards.org/

check out this site .

Thanks Ansil.