Hi there, I know your post indicates you've thought about this, but you may want to reconsider storing CC info at all. It's a trade off on convenience for the customer and security precautions on your site. If you don't have the numbers, that's one less thing an intruder could do with your information when they do break in. If you do store CC info, you should probably offer the option to not store the CC#. I know I don't like my CC info in a merchant database, encrypted or not. Scott -----Original Message----- From: R. David Murray [mailto:bitz@bitdance.com] Sent: Thursday, June 08, 2000 5:57 PM To: zope@zope.org Cc: zcommerce@codeit.com Subject: [ZCommerce] Secure storage of credit card info OK, any of you out there who have thought about ecommerce, cryptography, and zope, I've got a design question for you. Actually, this question is independent of zope, but I need to solve it in a zope context. You have a ZCommerce site. You accept credit cards, and securely communicate with a CC processor to verify the transacton. Now, you want to save the CC# and other info in case something needs to be done with it later, and probably store the CC# so this customer doesn't have to type it in again later. Regardless of whether you are storing this info in a relational database or in the ZODB, how do you secure that information? Ideally I'd like it to be encrypted on disk. Now, storing it in a database probably makes it pretty hard to grep out even if a hacker manages to snarf the database file, but I'd like to encrypt it. But if I encrypt it, I have to have a decryption key somewhere. Where do I store the decryption key so that the cracker who snarfs the database file can't get it (just in memory somewhere?), and yet have the system be able to boot itself, including having the key, without human intervention? It seems to me like this is a Hard Problem, but I'm not up on the current cyrptography practice. So if there is a well known general solution, I'd love to hear about it. Otherwise, does anyone know what current Best Practice is? --RDM _______________________________________________ ZCommerce Mailing List - ZCommerce@codeit.com http://lists.codeit.com/mailman/listinfo/zcommerce