Thoughts on a security model for storing credit card data

Question

Thoughts on a security model for storing credit card data

Here is the model we use to store CC data, how safe does it look?

All our information is encrypted using public key encryption, and the key-key depends on the user (its generated on the server and the private key is symmetrically encrypted using the user's password, which is also placed in the database). Thus, at the first start, the user sends to his password via an SSL connection, and the password is used with the addition of salt to generate the MD5 hash, the password is also used to encrypt the private key, and the private key is stored on the server. When a user wants to make a payment, he sends his password. The password decrypts the private key, and the secret key decrypts the CC details and CC details. [/ P>

+3

security credit-card

Faisal abid Mar 16 '10 at 20:06

source share

5 answers

, . , , , , , CBC, CTR IV.

+3

hao 16 . '10 20:22

, . , , , .

, , . 1 ( , ). , - , .

, , . , , .

( IV), openssl EVP_BytesToKey , iv ( ).

, , . . , , , . , .

+1

mar 17 . '10 21:38

erickson , , .

- . - , , , .

, , HSM () HSM.

, "" , ( ). , , , Windows.

0

Henri 16 . '10 21:03

You might want to take a look at the DSS Payment Application payment card industry " https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml

This may help you make some decisions.

0

Jason m Mar 22 '10 at 17:21

source share

erickson · Accepted Answer · 2010-03-16T20:50:11+0000

, ( ) ? .

-, , .

Thoughts on a security model for storing credit card data

More articles: