Responsible Handling of Billing Information?

moving on asks: "I've been asked by a client to build a fee based subscription service using surepay as the vendor for processing credit card transactions. Subscribers to the service will be billed X amount per month and that is the rub. Surepay does not offer recurring billing so I will need to store credit card numbers and related info. The question is then, how does one best do this in the most responsible manner?" The trick here is giving consumers the service they have come to expect from most websites, without exposing their personal information to would-be thieves. Do you think such a system is possible?

It certainly is possible

[OeLeWaPpErKe]

want to hire me ? ;-)

Hashing

[saint10]

As long as you send all your customer data to one way crypto heaven (MD5, SHA1), whats the big deal? If attackers easily snark in through the latest IIS sploit, and on into your SQL Server, your data is protected.

Re:Hashing

who ever said he was using IIS? maybe he's running Apache on a BeBox he pulled outta a dumpster

Re:Hashing

[markj02]

That wouldn't help. His system needs to present the plain-text data to some other system.

Re:Hashing

[Erasmus+Darwin]

"As long as you send all your customer data to one way crypto heaven (MD5, SHA1), whats the big deal?"

How does that solve the problem? The customer data has to be sent to Surepay once per month. Encrypting it one-way creates a situation where customer data can be verified, but can not be reproduced. The customer data can't be sent to Surepay without being reproduced. So the one-way hash is worthless, unless I've missed something.

Re:Hashing

[QuestKing]

The idea is to store credit card numbers in a format such that they could be used for recurring billing through surepay... how would hashing a credit card number work, since surepay would have to recognize the hash and somehow connect it to a particular credit card?

A slightly more useable option would be to store the credit card numbers offline somewhere in another server, which only comes online to do the surepay billing, and through a firewall which allows connections to/from surepay only.

Re:Hashing

Then how do you send the credit card info off to the billing service?

They're gonna look at an MD5 hash and ask which part is the expiration date =)

The real key is limiting access to the machine housing the database, and strengthening the security/encryption used to move that data around.

The db server should only be accessible [ /etc/hosts.(allow|deny) ] from the web server and strictly firewalled from the rest of the net and segregated from the local network too.

Re:Hashing

[eric434]

But they have to get the card numbers every month to charge them!

Personally, I'd say just store the data on removable media, and every month just have a robot go through the stack. For normal days, there'd be a cartridge/whatever in the drive that gets changed every week, so l33t AOLuser f5cKm3Up! could get only the customer data from the last week, at worst. When a cartridge/whatever gets changed, it would be put into a separate, NON-INTERNET-CONNECTED box that would automagically add the data from that week to the cartridge for that month/quarter/year (depending on the volume of subscriptions). On billing day, the robot just pops the archive cartridges into the web server (or a separate billing server if you can afford it) and an automated script goes through the data and bills.

You could also just use some heavy-duty encryption and store the key split into multiple parts on USB keys given to the security officers or whatever.

Re:Hashing

[saint10]

That wouldn't help. His system needs to present the plain-text data to some other system.


Oh yea... good point, well then, there are loads of nice symetric (2 way) crypto packages out there. Use the new AES, even MS has APIs (CryptoAPI, which ships with Win2k) out there to encrypt and decrypt transparently to the application/programmer.

Re:Hashing

[Scott.Simpson]

Yes it would work. When the person enters the credit card number, you hash it and do the comparison to see if it matches. You have the original credit card number stored in the memory of the widget on the web page. That is, use the number the person gave you! It isn't stored on disk though so if it should be safe.

Re:Hashing

Well, there *is* a way *if* Surepay accepts assimetric encryption: just the same as PGP: you encrypt your data with Surepay's public key and your private one, Sureypay and only Surepay will be able to decrypt it.

Re:Hashing

[CarbonJackson]

Hashing? I don't think getting high qualifies as "responsible".

Re:Hashing

[pitcrew]

First of all the biggest risk is from internal theft. This can be handled by keeping the box secure both physically and from the internal/external network. Secondly the processor must get the data in a usable form thus it must be transmitted over the Internet as open text unless the processor has an encryption they want you to use. I solve this problem by sending the information to my card processor over dial-up lines. Yes it is slow, (1200 baud) but I can process 800 credit cards in about 45 minutes. The problem that I see for you is not the storage of the card info but the transmission over the Internet. You mignt want to look at ICVerify. This is piece of software that has been around for a long time and works fairly well. You can also process in real-time if you need to for sign-ups.

Re:Hashing

[tenman]

Physical security is a good road to go down, but it would be just as easy (if not easier) and cheaper to shove the data onto an encrypted file system, and then only mount the file system twice a month (1st & 15th billing cycle(s). The problem with "disconnected media" is that you have to save a queue of client requests. I'll get more into that in a second. I don't have a great solution on a shoestring budget, but I can point out some things to look for...
First define your goals from the customer side. Do you want to allow your customers to decide what day of the month their CC will be billed? Do you want the customer to be able to change their CC#? Do you want the customer to be able to pay for 2/3/6/9/12 months in advance? Do you want to allow you customer to select an option to only 'bill once'? The goal of your application will determine how you store you sensitive data. Someone who wants a 12-month subscription and would like to use the 'bill once' option tends to be okay with updating his/her records every billing cycle. While the month to month guy doesn't want tge hassle from a reputable company.
Also consider (in the case of removable media) that if a customer wants to cancel their account, you as a company want to get rid of their data like a hot potato. If you have to wait for the next tape to be inserted to remove that account, you are still liable for their data. And that is an expense that no company wants or needs. Client request queue's are cumbersome to manage, usually rely on unstable environments, and are certainly not ideal for security. If you had to wait on a tape to mount to add a new account, where are you going to store that account's information until the tape gets inserted? I would think that in any case no matter what the requirements are, a removable media solution is out of the question.
While I'm on the subject, let me point out that nobody is going to do this for you out of the box. The commercial says that 95% of top 60 E-businesses run Oracle, and yet every regular /. reader saw a story last week about a huge security flaw in the new 9i product (I was personally very saddened by this). You're not going to get rock solid security from Microsoft or from the Open Source applications out there (again I'm talking out of the box). Protecting your customer's data can be a full time job. To truly protect your boxes and your data, you have to be aware of new vulnerabilities. You will need to live a security websites; you will have to dedicate yourself to not installing any new commercial (non-home grown) applications on these boxes without putting them to the test on another system first, and you will have to monitor the activity to that machine with a fine tooth comb every day even when it would seem that nothing bad is ever going to happen to the system. I've seen the best of security measures crumble because tech's to did security gat a false sense of security because they where used to not being attacked.
"We haven't been attacked, so we probably never will be.", "they don't know we are here.", and "My machine isn't really connected to the internet." may be statements that is true enough, but that doeesn't allow you to rest on your laurels. Security though Obscurity doesn't work. Trust me, if they want to, they can come though your firewall (usually a Trojan), around/into your NAT tables, and into that box that isn't really on the internet. I don't know of a security tool that can't be fooled (except a person that can make on the fly decisions).
So we come back to 'out of the box security tools'. The correct way to modify them is with education about them. The more you get to know about your firewall(s), and your router(s), or your web server(s), and your [insert long list of hardware/software widgets here], the easier it will be to understand how to protect yourself. It wouldn't hurt to pay for a class on how to make modifications, as this would give you the voice of someone with a broad experience in dealing with your tools.
So, My answer to your question, as long and rambling as it may be, is pretty simple. Stay away from Microsoft OS's as their security holes are much more publicized to the general public than that of the UNIX/Linux world. Use a peer system with ALLOW/DENY rules setup in your boxes. Have your content server(s) connected to a broker server that can then connect to your database. Never access your data on the database from any other machine (no remote ODBC, TNS, etc...). Have the database do it's own lookups and queries. Then use some form of encrypted communications to relay information from the database to the broker. The broker should make an intelligent decision as how and where that data gets sent. If you connect to the clearinghouse via TCP/IP, then have the Broker hand off the data, and not the content server. As far as a customer is concerned all of this is transparent. To the cracker there are layers of walls to break in order to get to the data.
I would love to promote the software that you should run on the Broker machine, but contractually I cannot. Remember as you look for, or develop your broker machine that THAT machine is your security backbone, and should be treated if it was your daughter. I hope this helps, and I wish you the best of luck with your endeavor

Re:Hashing

mod parent up

Re:Hashing

and mod _that_ parent up as well

Re:Hashing

[jansifae]

I might be missing the point, but I thought the system was supposed to only ask for customer information once, and then bill them repeatedly.

If the customer has to enter their information over again every billing period, whats the point of storing anything?

Re:Hashing

[TheSolomon]

ICVerify (bought by CyberCash) is no longer an option, since CyberCash went out of business. Consequently, CyberCash's payment handling service is now done Verisign, who got into the whole payment handling business starting with their purchase of Signio.

Whatever the case, none of these services (ICVerify, CyberCash, Signio, or Verisign) do anything differently than what you have. =)

Re:Hashing

[pitcrew]

Actually ICVerify is currently owned by First Data Merchant Services. See icverify.com.

Re:Hashing

[pauldy]

But we know this doesn't work because your week link is the server that does have access to the credit card info. So then you create a way for the credit card db to poll the webserver for cc info and run one of the scaning services on your machine weekly to check for remote exploits on your webserver to detect possible man in the middle attacks.

encryption

[paranoic]

Strong encryption and only connect the machine to any network (internal and external) when the bills have to go out. Filter all replies that don't come from the credit card responder.

Re:encryption

Encryption is the right way. Generate an RSA Key, lock the private part of that key away with a cipher secured by a passphrase. As your confidential information comes in encrypt it with the RSA Public Key...

Now every month when you need to send out billings you personally sit down at the console(or ssh in), run a little perl script and unlock the RSA Private Key with that... All data is decrypted using the private key, billings are sent out and the information is never saved to disk.

Anyway, it'd be pretty secure.

Re:encryption

[Xzzy]

> and only connect the machine to any network
> (internal and external)

If you're unable to do this (due to staggered billing or something) the "next best" option is a heavily restricted network.

Give your machine with the personal information precisely one network connection and plug it into precisely one machine that can talk to the secured machine on precisely one port. Have your border firewall or equivalent drop any outgoing packets from either of these machines. Only let people do work on this machine from the console. Also use a straight cable between the machines.. ethernet port to ethernet port, crossover cable.

Then you have your webserver talk to the intermediate machine to handle transactions. Process submits authorization or billing request to intermediary, intermediary talks with the database, and issues a "yes" or "no" to the querying program. At some point you'll probably have to actually transmit user data to actually do the billing, so obviously everything in this chain will be encrypted.

Then install the best intrusion detection tools you can find/afford on all these machines and hire alert people to monitor logs. Treat any unexpected traffic as an attack and have someone walk over to your machines and physically unplug the machine from the intermediary until the situation can be identified/resolved.

This obviously assumes one believes that physical separation is important and effective, which I happen to do. ;) This also kinda relies on a security through obscurity standpoint, which contrary to popular belief can actually be useful as long as you don't let it lull you into complacency.

If server theft is a concern you'll also want to yank out floppy drives, physically secure the server somehow, look the bios, and if you absolutely require being able to copy data to this machine give it a read-only cdrom drive.

IMO, I wouldn't back up the server except for a hard drive image you can use to reinstall everything to a known state. Were I joe online shopper, I'd much rather re-enter cc info than worry that tapes were floating around the country with my data on it.

If you did even half of this, you'd have several times the level of safety than I've personally seen on some other online merchants, and I've been through a good number of data centers.

Re:encryption

[merlin_jim]

What about the storing of the credit information? That will most likely be coming in at arbitrary times, and thus the credit storage machine will need to be connected continuously.

Look at the guidelines in the Visa CISP. They have good information about this... the bottom line is: use asynchronous encryption (store your private key elsewhere and use it once-monthly to decrypt the data as you send it), use a firewall, and patch your OS often.

Re:encryption

What about the storing of the credit information? That will most likely be coming in at arbitrary times, and thus the credit storage machine will need to be connected continuously.

Once you've finished doing the authorization or whatever you need to do, encrypt the CCN using public/private key encryption. Don't store the private key anywhere connected to the network.

Re:encryption

[bluebomber]

IMO, I wouldn't back up the server except for a hard drive image you can use to reinstall everything to a known state. Were I joe online shopper, I'd much rather re-enter cc info than worry that tapes were floating around the country with my data on it.

Most of the time this simply won't be an option. You have to keep backups. And not just so that Joe Shopper has the convenience of having his CC remembered. For starters, another poster noted that this information will be needed to correlate to chargebacks from the CC companies. Secondly, you might not just be storing CC numbers on such a server. What if you were storing other "personal information" that you wanted to ensure was secure? Depends on what you're selling, but purchase history might be one of these. That history and other data is of real value to merchants and can't be exposed to risk of loss due to hard drive failure (which is a high-probability event, relatively speaking).

In my opinion, if you can secure the machine, you can secure the backups. Hire an armored car if you think it is necessary, but storing backup tapes in a safety deposit box or other secure (off-site) location is pretty secure, especially if the information on the backup is encrypted.

Re:encryption

[gregbaker]

...while you're at it, give the secure machine a private IP address. That way, (most?) packets from the outside to that machine be dropped before you ever see them. One more layer of crap for a would-be intruder to get through.

Re:encryption

[alcourt]

While many of these ideas sound great in theory, the reality of administration forces many of these ideas to be abandoned.

1. Physical security. This should already be in place, and not just for credit card numbers. If you don't have adequate physical security on your servers, you have a tremendous problem. Most decent hardware has the ability to key lock access to the hard drives.

2. Network operations monitoring. Often overlooked, this feature is crucial, and contradicts some of the features others advocate of eliminating all other network connections, etc. Any service that needs to be up all the time, such as a billing server (needs to receive new records all the time for changes to billing, as well as customers querying the status of their bill, etc.), should be monitored by a dedicated operations group. The monitoring should be mostly automated (Big Brother comes to mind as a free utility, there are others both free and commercial), but with a human to evaluate the alerts you get so your admins last more than 3 months. This kind of monitoring nicely encourages a smart person to throw in some log monitoring to monitor the logs for "unusual" network activity to flag an alert. But you obviously can't yank the network cable every time you receive an extraneous port 21 connect. You need a human around to look for patterns and have the brains to know when to wake the admin and when not to. You need a dedicated staff of at _least_ 3 people (one off call, one primary on call, one secondary on call) at all times.

3. What I have found works well is to segment the process into multiple servers. Thus you can have a web server that can submit an append request to the database server, but can't do a full read, only certain types of read requests. The database server would of course be sequestered as it would hold your real data.

4. Forget locking people down to the console only. That works up until you need three people working at once to resolve an outage situation. (Don't say that doesn't happen). Instead, use an isolated network with a "hop" box that allows you to choke point access. Not the same as a firewall, but a firewall could serve the purpose as well.

5. As many others have said, make sure all traffic in and out of the box is encrypted by some method. PGP works well for some things, SSH works well for others. There are other options out there. (If you are talking to mainframes, there are some other interesting options.)

6. Good backups are essential. Sooner or later, some idiot will remove a key file at 6PM Friday, only to be noticed at 6AM Monday (or worse, not until the first of the month when you do a large monthly billing run.) There are commercial services out there that will securely store your backup tapes offsite for a given retention period. Test your backups also. On your test machine, blow away the database (prior to going live preferrably), and then restore the system from your backup tapes, and do that at least once every other year, restoring random files at least 3-4 times a year. What good is your data if it is unavailable when you need it?

7. Test machines are a must. When you want to test to see if you left open a back door, don't do it to your production system, do it to your test system that is an exact duplicate in terms of hardware type, every piece of software, and network layout (but obviously no customer data, just dummy data that emulates the structure of the database). It does no good to secure a system only to have the security compromised because you didn't anticipate a side effect that actually chokes off your primary application's access.

8. I don't know if the vendor selected uses phone validation, but if that is the route you pick, make sure your lines are configured for dial out only. Otherwise, it can leave an interesting hole that won't be revealed by even a very heavy TCP scan or lsof -i TCP

Re:encryption

[CrayDrygu]

6. Good backups are essential. Sooner or later, some idiot will remove a key file at 6PM Friday, only to be noticed at 6AM Monday (or worse, not until the first of the month when you do a large monthly billing run.)

It's not always "some idiot" that removes files.

Where I work, we do our payroll in-house. A couple weeks ago, we were trying to transmit the direct-deposit info to the bank, and it wasn't working. Well, it's probably our fault for keeping this in what's supposed to be a "temporary" location (like a /tmp for this specific application), but it turns out that, when that area was cleaned out to free up some disk space, the file that contains our user/password for the bank's system was deleted. Fortunately, I was able to pull it off a backup tape.

And then a few days later, we couldn't change vendor information, because the latest update for our accounting software was missing that file.

Re:encryption

[billcopc]

Instead of going nuts with software and data, keep printed records of transactions, containing only required data to handle chargebacks and whatever it is you need to handle after the transaction is complete.

Cart before the horse

[rhizome]

Why not use a billing service that supports the subscription model you want, rather than trying to find some minefield-laden path toward storing credit card info?

Re:Cart before the horse

[Ooblek]

I have to also say that rolling your own recurring billing program is deceptively easy. I just inherited maintenance of a recurring billing program that works in an accounting package. In the several years it has been in the public, it has been plauged with a lot of problems because no one sat down and wrote algorithms for how billings were to be handled. Checks, validations, and scoping mods were added over time without using any particular analysis of where conflicts may happen. The result was it went through at least 4 people's hands before it came to me, and it is only now starting to work when all documented failure cases have been tested with the new set of algorithms I made.

I will say that the algorithms are fairly easy once all the requirements are known (the designer just hacked it - no requirement spec exists). The big problem is that you will probably find that there are tons of other things you want it to do as your requirements for recurring billing change over time.

Re:Cart before the horse

[Chagrin]

I think the previous poster's point was to avoid rolling your own billing program, and finding a payment service that already supported subscriptions.

Re:Cart before the horse

[laursen]

If I were you I would take a look at either IBill and/or CCBill. They have been in the business for a long time and have a good service level. IBill provide payment via Credit Card, Online Cheque (both recurring) and Web900 whereas CCbill only provice payment via Credit Card and Online Cheque (both recurring) (afaik).

Instead of going through all the hazzle of setting our own billing system then have a look at the billing systems above. I personally wouldn't trust an unknown company/payment solution (no offence)...

Re:Cart before the horse

[sharkey]

You may want to reconsider CCBill. Apparently, in March 2001, they were notified of an insecure CGI that exposed their merchants login information. They removed the CGI, but didn't tell their merchants, apparently hoping to sweep it under the rug.

Re:Cart before the horse

[geekoid]

that would be a logical path, so there's no way a PHB would want to do that.
or somebodies brother in law owns the billing company.

Re:Cart before the horse

[herderofcats]

Unfortunately, none of the existing billing services support a subscription based model. We looked quite extensively for one, but only found ones for the porn industry -- the porn industry has very different requirements for security, and a completely different set of payment service providers that take a much larger cut or have other limitations that make them not feasible.

I understand Portal offers a subscription billing services software product that works with standard payment service providers, however, it costs mid-6 figures.

-- Herder of Cats

Re:Cart before the horse

[crucini]

Because if you are working on a project of any serious size, the selection of merchant bank will be made by finance folks on its own merits. They are not going to accept a clearing provider with a slightly higher rate just because some programmer prefers their API.

Your advice is applicable to very small net businesses. It is unsuitable to serious e-commerce sites because, among other things, it leaves you completely at the mercy of the clearing provider. Imagine sending an email to all your subscribers saying "Dear valued customer, due to a dispute with our former clearing provider we have lost your card number. Could you please take a moment to go to https://...." You would lose a substantial portion of your hard-won userbase that way.

Re:Cart before the horse

[jo42]

> IBill/CCbill

I wouldn't use either one if I could avoid it. With IBill I had an issue where I entered in my CC info and got back an error that the transaction was declined. Guess what? IBill got the money from my CC! Took about three weeks of back and forth to get me my money back. First, they couldn't find any record of the transaction in their systems at all and I ended up faxing over to their financial department my CC statement to prove that they indeed did take money from me. With CCbill, none of my cards would go through - ended up calling the vendor on their 1-800 number and placed the order the olde fashioned way.

Lesson learned was that online shopping is still in the dark ages and sometimes ends up with far more hassle than it is worth.

duh...PASSPORT :P

[BlaKnail]

Just fork over money to Microsoft, and they will provide you will access to an ultra-secure passport server, so your clients will have nothing to fear.

Re:duh...PASSPORT :P

Your Clients will have nothing to fear except (ahem) Microsoft itself...

Re:duh...PASSPORT :P

[CarbonJackson]

I've been wonderin when I'll be able to log into Slashdot with my Passport. I'm nervous about the linky thing with my password right there in the open!

Re:duh...PASSPORT :P

[Sose5000]

Why don't you just store it on a Mac?

Amazon.com

I remember hearing that Amazon.com originally used a Slackware box with extremely limited connectivity as a 'store' for the credit card info. Set it up with extremely limited connectivity, i.e. on a subnet unreachable by the world. Put only extremely limited services on it, i.e. set it up so there's a pipe for credit card info to get onto the box but nothing on the box is shared out and there's just one data path out from the box that sends an 'okay' signal that info verifies correctly. The machine should be set up so a zip drive is the only way to get info off of it, and you have to sit at the keyboard to do so.

eee..

[Axe]

..sure seems like a really interesting idea to ask this on Slashdot..

Just one question: how on earth did you get hired without a clue what to do? What you ask i a standard Q, you ought to know it without us..

All sort of dummies got jobs in the recent years... ;(

Re:eee..

[boydtel]

Yes, and if the original poster wasn't posting stuff that you could arrogantly demean, where would you post your winking frownies? Ah the great cycle of life...

Using GPG always appealed to me

I always thought that this article described a way thats pretty simple, and easy to use / develop.
Cheers.

Re:Using GPG always appealed to me

[Bronster]

webtechniques.com article on using GPG

The only thing that I would add to that is also partitioning the CC-number space so that an attacker who breaks one key doesn't get all the numbers, just a subset. And easy way to do this is to generate a new GPG key (say once per day) on the secure private-keys machine, and copy across the public key only to the servers. These can then encrypt the CCno with the public key, and also store the key used in the same DB entry.

That plus a bit of salting so that two different customers using the same CC number (say Husband and Wife who share a CC) don't show up as the same, and all is happy.

The dangerous bit is still going to be personel issues and access control to the private key storage, though passphrases can be used here.

I guess the issue is that if your system is going to have to be able to decrypt the CC real-time, then you can't have most of the access controls that we're talking about here. A computer is going to have to take an incoming message and load the CCno into memory at some point.

Re:Using GPG always appealed to me

[B1ood]

I think I can one up this article. It says: "The safest way to keep such information confidential is to encrypt the data as soon as you get it."

Why do you even have to have the credit card info in plain text? Or even in a form that someone at your organization can decrypt? Why can't the user encrypt the credit card credentials with PGP encryption before it even gets to you? Something client-side could easily enough download a public key, encrypt the data, send it to you, and you send that. The associated private key might be VISA's, MC's, or a middle service, but not one from your company.

There is an easy enough automated method to distribute ssl certificates that the user doesn't have that much to worry about when they visit an https address, surely a tool could be forged to never possess a credit card number that can be decrypted at any point of the transaction until it gets to the people that actually need the number.

Re:Using GPG always appealed to me

[spudnic]

Because most people are lazy and/or stupid. They want their cc info to be safe, as long as it doesn't require much effort on their part. If my mother wanted to buy something from Amazon but they told her she had to download and install some small program to allow her to do this, she'd find the item somewhere else or drive down to the wal-mart instead.

Split up the CC#

[c0y]

Store half the credit card number and half the expiration date in a cookie on the user's computer. Store the other half in the database, encrypted.

Even if someone cracks the server, the database itself will not yield valid CC's.

Re:Split up the CC#

[GigsVT]

That is the worst idea I have ever heard. Suppose you decide to store the latter half of the card number in a cookie, and some other site decides to store the beginning part in a cookie, using your method, bam plaintext credit card number on the user's computer, which is probably the least secure place for it to be stored in plaintext, since they probably have an open read-write SMB share hanging out from the latest MS worm.

This goes to show why it is very dangerous to "Ask Slashdot" about anything important or security related.

Re:Split up the CC#

[anthony_dipierro]

Suppose you decide to store the latter half of the card number in a cookie, and some other site decides to store the beginning part in a cookie

It's worse than that. The beginning part of the CCN is just a designation for your bank.

Re:Split up the CC#

Wouldn't the user then have to log into the site once a month in order to be billed? Maybe that's a feature? ;)

Re:Split up the CC#

[c0y]

Actually, as I have implemented this, I encrypt the whole thing, and *then* split it up. It's not great encryption, but it's good enough for the purpose. Even if someone decrypts my code, they still wouldn't be able to retrieve half the credit card without the other half.

Re:Split up the CC#

[tlk+nnr]

That is the worst idea I have ever heard.

No, it's a very good idea, but a bad implementation.
A good implementation would use a one-time-pad from a random number generator.
- build a structure with the billing details.
- generate a random number block, as long as the whole structure.
- XOR encrypt the billing details with the random block, only store the encrypted version on your server.
- send the random number block back as a cookie to the client.

That's absolutely secure - you can't get the CC# without the user cookie. A simpler alternative would use a block chipher instead of a one-time-pad.
Unfortunately it doesn't solve the problem - what if a user doesn't log in for a month?

Re:Split up the CC#

[GigsVT]

There are other problems, the user could delete the cookie, reinstall, switch browsers, start refusing cookie requests, etc.

Re:Split up the CC#

And what about those of us that regularly delete cookies as a security/space saving measure?

Every time my box reboots (I'm still running Win98 at the moment so it's far too often, ugh) it deletes all cookies.

Re:Split up the CC#

[vrmlknight]

what if they delete the cookie or god forbid use a different computer?

Key: used to...

[OSgod]

So what do they do now? Why did they cease using the security through lack of functionality?

How does Surepay store it?

[mESSDan]

If the question is how to store data in a responsible way, why not ask Surepay, who you are sharing the sensitive data with? Surely they will have some insight into this, and because you are a client, may be more apt to share it.

Maybe your question could be asked how to safely transfer it?

Re:How does Surepay store it?

[rebean]

Surepay obviously doesn't store the data. That's why they won't support recurring billing.

Nothing is 100% secure

[morcego]

Okey, this is redundant, but you have to draw a line somewhere.
One thing I would suggests (and you won't like) it that you keep all CC data on a removible media, that only gets inserted (manualy or otherwise) when you have to send it to the billing company. I suggest that you make this process manual, so you can keep an eye on things why doing the delivery.
Okey, this is arcaic, but it's a good security measure. Just be sure all data goes encrypted, and that the media where you stored it is well protected.

Re:Nothing is 100% secure

[chris_mahan]

Thinking of that, why don't you set up something with the vendor where you will send them (fedex, ups) an encrypted CDrom with the info. That way, if the CD is lost, you don't care, and it doesn't go through the internet at all.

But the better solution is to get together with your bank (you are a normal business wuth a commerical account, of course) and get their solution on board.

Re:Nothing is 100% secure

Correct, you won't like it. And it creates even more problems than it solves. Obviously users will first have to send their credit card number to sign up for the service in the first place. Unless new users have to first call you before clicking submit so you can insert the tape, where would new user CC#s be stored?

Re:Nothing is 100% secure

[spudnic]

What happens to all the cc numbers of new members that sign up each day?

This is what I was thinking...

[MattRog]

I was thinking about this the other day (since we're trying to do the same thing on our site) and I think it would take some sort of a special arrangement or a special package (if they didn't offer it before).

The details are something like this:
set up a database on your site to hold this type of information:
cc_hash,
payment_expiry,
userid,
etc.

Then, when the user vists your store (unless you are paying for the SSL license chances are you're redirecting to surepay, correct?) have it embed a userid (or whever you keep track of on your end) form field. After the user pays, have the surepay place either post a SSL form, send you an encrypted e-mail, etc. with the CC number (or some other form of identification) MD5'ed back to you. You can store that hash (hashed with maybe a secret 'salt' that only you and sureplay know) along with the userid in some table. Then, when the payment_expiry date rolls around, you can poke surepay with the userid and cc_hash so they know you still have their CC number (surepay would keep the unencrypted version and could generate your MD5 hash). Obviously if someone was evil they could break in and 'steal' your table but all that allows them to do is re-signup your current members (and that wouldn't be too difficult to un-do either).

Re:This is what I was thinking...

[MattRog]

To clarify I guess:

User enters site
if form is on their end:
user enters CC info,
surepay verifies
surepay pokes you with:
MD5( $cc_num . $secret );
$userid;
expiry;
you store it in your DB
else form is on your SSL site:
user enters CC info
you verify
you store
MD5( $cc_num . $secret );
$userid;
expiry;
end if

then you routinely poke their servers when you figure out the expiry is up and the end user hasn't quit.

Or, of course, if surepay has the ability to re-bill someone, use their automagic service. :D

Choose another processor?

[TheGreenLantern]

Perhaps it's not possible, but it seems to me both your and your customer's lives would be made a lot easier if you'd go with a credit card processor who does support recurring billing.

Re:Choose another processor?

[mikewas]

This doesn't solve the problem, it just transfers it to somebody else i.e. the credit card processor. Now you as a user of the processor still have an obligation to your customers to assertain that the processor has proper safeguards in place.

There's also something to be said for keeping this data distributed. One humonguos database is a tempting target, and cracking one protection scheme nets a large return. Many small databases each with a different implementation would require a much larger expenditure of effort for the same return and might raise an alarm if other(s) got cracked first.

Re:Choose another processor?

[Kamel+Jockey]

This doesn't solve the problem, it just transfers it to somebody else i.e. the credit card processor. Now you as a user of the processor still have an obligation to your customers to assertain that the processor has proper safeguards in place.

It solves the CYA problem though. Presumably, a vendor which does support recurring billing has already solved these problems to the point at which they are able to resell it as a solution to a third party. Of course, verifying this is crucial. But, it usually more efficient and practical to buy a solution from an experienced provider than to throw one together (and go through the usual debugging, testing, etc.) on your own.

Re:Choose another processor?

[TheGreenLantern]

Exactly the point I was about to make. Why re-invent the wheel and all that nonsense.

dont connect it to the net

Just don't. Credit card databases are too tempting a target for crackers. I've seen an ISPs card database hacked when they thought it was safe. It was a Netware server connected to the network, but with no direct internet connectivity. The cracker rooted the linux servers, then built the loadable IPX and netware kernel modules, mounted the netware server from the linux box (which the ISP people didnt realise was possible), and got full details of over 7000 user accounts. btw, in my experience ISPs *never* reveal stuff like this to their customers.

If you want it to be safe, use something simple and one way, like sending the details over a serial line with the rx wire cut. Cut off the database from the Internet as much as possible. Also try and restrict access within the organisation. The last thing you want is customers to find out their data has been stolen, if it happens remember you have no legal obligation to tell anyone. Keep quiet and maybe your company will still be around in 6 months time.

Re:dont connect it to the net

[DerekLyons]

If you want it to be safe, use something simple and one way, like sending the details over a serial line with the rx wire cut. Cut off the database from the Internet as much as possible.

Most of the solutions posited so far in this discussion keep ignoring the fact that the data has to kept safe *and useable*. In this instance the data has to not only be stored, but sent to Surepay. For an E-Commerce site, the idea is that credit card info should not have to be re-entered everytime the user wants to purchase something. Credit card numbers are not passwords, so the simple 'box only returns a yes/valid' response won't really work for rebilling.

Why don't you ask a porn provider

[typical+geek]

hmm, getting a credit card billed monthly sure sounds like most porn sites I've been a member at, err, it sounds like most porn sites I've read about on /.

Re:Why don't you ask a porn provider

[ackthpt]

Might ask the pr0n biller as they seem to have some experience with how not to do this.

Re:Why don't you ask a porn provider

[GigsVT]

Yeah ask CCBILL, they are secure, so they say.

Too bad /. rejected the CCBILL story, it's probably the biggest breach of security in recent years.

Simple

Just use a flat file plain text database on your webserver. Then your billing application can easily read and supply the necessary information to surepay. A simple robots.txt file will prevent it from being indexed and it will be 100% secure because it will be hidden!!! Simple, elegant, and secure!

Re:Simple

[19Buck]

sure a robots.txt will stop spiders that ~play by the rules~ from indexing, but it wouldn't do anything to stop the ones that DON'T play by the rules, and those are the ones that you really want to keep out.

I'm not a programmer, but to me, the fix to this seems simple. Exactly like others suggested, instead of trying to jury rig something to work around what the processor won't give you, go and find one that does. You'll be much better off in the long run.

Make sure you use encryption

[f00zbll]

Reguardless of what ever language, platform or server you pick, use encryption for sensitive information like credit card number, expiration date, and name for the credit card (in case it's different). Typically in an enterprise environment you want to use one way Hash for the password and dis-allow retrieval of the password. If the user forgets their password, they get a new password and are forced to change it when they login the first time. Yeah, it's more of a pain for the user, but it's the responsible thing to do.

Use DESEDE or something equal. The main goal is to make it so if someone break into your database, they can't get clear text passwords, credit card numbers or expiration date. If you want to be really hardcore, you can have a different secret key for each user, which is decrypted at runtime to generate the appropriate key used to decrypt the credit card information. Make so that once the system is up, no one can get credit card information without asking the customer. This way the information is only in plain text when the charges are made to the card.

Re:Make sure you use encryption

[duffbeer703]

That's brilliant!

All you have to do now is purchase a couple of dozen servers to do all this encryption.

Re:Make sure you use encryption

[spudnic]

This makes perfect sense, but what about for data that has to be shared and also secured. One example that comes to mind would be a database of patient data. The data needs to be available to the user once an SSL connection was established and password authentication was performed.

I could set up a secure box connected nic to nic via a crossover cable that only ran an sql daemon that only responded to the web server, and have all the data in the database encrypted. The problem I see is that the applications that requested data from the database server would have to contain the key to decrypt the data. Once someone rooted the web server they would have access to the scripts that handled communication to the database. A yes/no from the server wouldn't be enough in this case, it would have to actually get the data.

What is the solution in this case?

.

other articles

[Jonny+Ringo]

Well, on all the major articles where the headlines humiliate the company, because it was broken into. What always stood out was the fact that they stored all the customers info in a plain text file with out encryption.

Every article roasted the company over that specific problem the most. I think the reason why is its more excusable to to have a whole somewhere in your network, but there is just no excuse for not encrypting the files.

An Idea

[mESSDan]

This is just an idea, so shoot it down if you like.

Why not just have Surepay provide a really high bit crytpo key? Then you can encrypt the data once using this key, send it to them encrypted, and they can decrypt it. Since the data would be stored in an encrypted state, and THEY supplied the key, what would be the problem?

Re:An Idea

[keesh]

You're thinking of RSA, maybe? Think again. RSA and variations are extremely vulnerable to chosen plaintext attacks. Unless you're sure no-one can get between you and Surepay, don't use any of the public key algorithms on their own. You can't really mix them with other systems (DES, IDEA, whatever), because you still have the same problem.

Check the references in /Applied Cryptography/, several explain how to do this.

Granted, it's still a several-million-dollar task, but how much is a credit card list worth?

better idea

Why not copy the data to floppy, lock it up and when the time comes mail it to your vendor?

Re:better idea

[8string]

Bad idea.

Haven't you heard of the anthrax mail virus?

Paper

[Glytch]

Hire people to do it all manually. May be more expensive, but paper in a locked filing cabinet can't be hacked. Automation is not always the answer.

Re:Paper

[austad]

Hire people to do it all manually. May be more expensive, but paper in a locked filing cabinet can't be hacked. Automation is not always the answer.

Yeah, and when you take a cold shower, you probably turn on the hot water for 20 minutes until it's cold. Don't be silly Inefficiency-man.

Re:Paper

[haruharaharu]

Hire people to do it all manually. [snip] paper in a locked filing cabinet can't be hacked

Actually, the people are usually the easiest to 'Hack'. It's usually called social engineering.

Re:Paper

[Skirwan]

Yeah, and when you take a cold shower, you probably turn on the hot water for 20 minutes until it's cold.

Abusing unintended timeouts in your hot water supply to access cold water through hot-water channels may be a violation of the DMCA. Please be advised that hot-water channels are to be used solely for the transport of hot or lukewarm water, and that any other use is prohibited by your license agreement. Sharing information that may allow others to mis-use common hot-water channels in unintended and undesired fashions is irresponsible and may leave you liable for criminal damages.

--
Damn the Emperor!

slashdot is stupid

yes it is possible that slashdot is stupid. In fact, it's guaranteed.

This is a social problem, not a technical problem

[diamond0]

This is a social problem, not a technical problem. Obviously, you'll need to store the actual billing information in a database, in cleartext, and access it on a regular basis when recurring billing needs to take place; this affords every opportunity for abuse of the data.

The goal, then, becomes motivating your colleagues and/or marketing-and-management-types to use this data responsibly. My suggestion would be to insist that the customer be given unconditional recourse in the event their data is mishandled as a term of the (recurring) sale. I can't say I know of any company that actually does this, though. The ubiquitous "terms of service" and/or "privacy policy" often give a company wide latitude with your data.

You could compare this problem to convincing the management that spamming is a Bad Idea; often they just Don't Get It.

what about PayPal

[MoceanWorker]

PayPal also is a fee based subscription service... i'm not too familiar with Surepay... but PayPal is one of the most reliable billing vendors out there

Re:what about PayPal

[Samus]

I have serious doubts about paypal. I've not used it but the horror stories on these sites are not encouraging. paypalwarning and paypalsucks Most of the stories seem to be vendor is reputable with good history, gets a complaint or chargeback and gets locked from his account for > 3 months. I guess YMMV.

Re:what about PayPal

[jo42]

Except they are not a bank, nor FDIC insured. PayPal is walkng a fine line and one day the gubiment will wack them real hard.

Somebody mod this gentleman as

[CaptainZapp]

insightful, please.

Boy, this advise is simple, cuts down to the bone and unfortunately wont solve his problem.

Why the fuck specify companies requirements, which are not directly relevant for the business, but make life a helluva lot harder?

sigh...

storing info in a "secure" location.

[spotter]

I've thought about this problem a bit, but never really had to implement anything, so anything I am about to say, should perhaps be taken with a grain of salt.

One assumes that the web server is insecure, and therefore is going to store the data on another "secure" machine.

One needs to make a very specific interface that one can use for the "insecure" machine to talk to the "secure" storage machine (this is the machine that is going to do the cc verification also)

Presumably, the "secure" machine is not going to be running any services that are accesible to remote users besides whats needed for the the web server to talk to it. One can do something like only allow the machine to talk to the "insecure" webserver, but this doesn't buy you much more security, as all someone has to do is crack the "insecure" web server and you are at the same place you were before.

Getting back to the interface these programs speak. One basically needs an "input" func, and a "status" func.

Basically when one register with the site, the werb server doesn't store any information about the credit card on itself, as it immeadily connects to the "secure" machine and uses the input function to inform it about the new account.
It can then use the status function to determine that status of that account

status can be OK, or NOT_CHECKED_YET, or NOT ACCEPTED or the like. but basically something that is read only by the server.

Both of these services should be easy for the "secure" machine to check that its getting properly formed requests (i.e. is someone is trying to attack it). One can also make a script that then verifies each account each month, and since one can do this over a phoneline, you don't even need to allow any other outbound connection from this machine.

yes, a little bit more thought probably has to go into this, but this is what I came up with a while ago. feel free to criticize away.

Re:storing info in a "secure" location.

[Ageless]

I am in the process of designing a similar system and your ideas model mine pretty closely.

The key is the interface used to talk to the "secure" box. The only time a credit card number should ever be transferred across the interface is the initial "input". After that it's hashes to verify when needed and user ids to associate.

I also have the notion to make the "secure" box completely detached from the standard network and use only a serial interface that attaches to your credit card processing interface. In other words, the only way to get a shell on the machine is to walk up to it and sit down. Not even a shell via the serial link.

I have a lot of ideas for this and I get to start implementing it soon, so I am excited. I want to do everything I can to insure that my site is not the next Egghead.com :)

Re:storing info in a "secure" location.

You are going to need to store cc info on the secure machine. But the cc info will originate on the client, be sent to the webserver, then sent to the secure machine. If I break into your webserver and put a nice logger on there to catch the data sent to your secure machine, I will be catching the cc info that you are writing to your secure machine...

Re:storing info in a "secure" location.

[Ageless]

I agree with you here, but not much can be done. The trouble can be minimized by having the script (servlet in my case) immediatly re-encrypt the data to send to the secure machine, but you are correct, the web server are the weak link.

The secure box is mainly to avoid situations where an attacker can get the entire database of credit cards and is meant to minimize risk. It is also mainly used to stop immediate attacks. I am relying on the fact that with tripwire and such on my web servers I will detect a break in as, or soon after it happens and be able to remove or secure any kind of logger installed.

It's not fool proof, but nothing is. I'd love to hear some ideas on securing the web server weakness though.

Lockbox, & let the customer decide...

[bourne]

Though there is no really good way to do it, the safest way to do it is to isolate credit card info onto a seperate box, limit the access to that box to the absolute minimum required to request a charge, and have that box then directly contact the credit card clearinghouse rather than return a CC# for use by the other half of your application.

Encryption (SSL minimum, preferably also encrypted in store with keys being supplied by the other half of the application) is necessary, the lockbox code needs to be as limited in capability as can be, and what remains must be thoroughly audited to limit the likelihood of breach. No other services should run on that box, and physical access must be tight. A shared cage at Exodus doesn't do it.

Whatever you do technically, I think the most important thing is... don't forget to let the customer decide. Any app that stores CC info should allow the customer to decide NOT to have their info stored. I rarely see sites that allow me to "opt out" of having them store my credit card info, and I'd rather retype it than trust them.

Re:Lockbox, & let the customer decide...

[jayfoo2]

Actually.....

Even if they are not storing your credit card info for you to use again (i.e. a profile) they are almost definately storing the info for their own reasons.

The rationale behind this is that when there is a chargeback (when a customer tells their issuing bank a transaction is fraudulent or otherwise bad) the merchant is responsible for convincing the credit card company that it was a good transaction.

The problem is that when Visa and MC tell you that you have a chargeback all they give you is the Credit Card number, date, and amount. You need to have stored in your system the details of the transaction linked to that credit card number. Otherwise you can never fight chargebacks and you'll get screwed (for aboveboard merchants ~.4% of transactions result in chargebacks).

So it's unlikely that anyone who knows what they are doing would build a system that doesn't store your credit card data. Hopefully they are securing it well.....

Re:Lockbox, & let the customer decide...

[bourne]

The problem is that when Visa and MC tell you that you have a chargeback all they give you is the Credit Card number, date, and amount.

I had been under the impression that it was more usual for credit card companies to use a subset of the number, usually the last four digits in conjunction with the expiration data. That was second-hand knowledge, though. I worked at a .com and recall the support people and the development people going back and forth because the developers initially didn't store/display the subset that support generally needed for dealing with credit card issues, and the support people had a hard time getting the appropriate engineer to 1) understand and 2) fix the problem.

Re:Lockbox, & let the customer decide...

[tshak]

For chargebacks with no transaction linked to the Card Holder/Customer, simply store a MD5 or SHA-1 hash of the CCNum. When you reconcile, hash the CCNum/exp from Visa and compare it with your records. You will probably want to add a fixed padding to the CCNum, otherwise one could crack the hash very quickly (days) using a simple LUHN-10 brute force attack.

Re:Lockbox, & let the customer decide...

[jayfoo2]

You usually store the entire number and display only a subset. A four digit number along with at month/year combo (which since cards only last 3-4 years only has 36-48 max possible values) doesn't really provide a unique identifier.

Re:Lockbox, & let the customer decide...

[jayfoo2]

Probably overkill in most cases. It also makes it impossible to do higher order queries on CC numbers (such as determining type from the first digit).

As long as you can keep your data safe from your employees simply encrypting the data with something robustish (RSA, Triple DES with a good size key) is gonna be enough protection).

Also the number itself isn't really the sensitive part of the package. Much of the security with credit cards is matching the number (which is easy to determine, they are not random and they only have 6-8 variable digits, plus there is a checksum/hash formula) with the exparation date. Hashing the Exp Date doesn't buy you anything since there are really only 36-48 possible values (cards only last 3-4 years). Hashing the numbers together does work, but knowing the customers exp date is sometimes important for business reasons (i.e. for subscriptions you don't want to keep charging an expired card).

So... I'd go with encrypting the whole smash and auditing who can get in and out of the encryption.

Re:Lockbox, & let the customer decide...

[Zagadka]

90% of credit card processors don't verify that the expiration date matches the one on the card. They just make sure it's in the future. So the expiration date doesn't provide any security at all for the vast majority of credit cards.

Re:Hashing - Seperate Retrieval Agent

[TheConfusedOne]

The ol' Public Key Private Key encryption is the answer.

Generate a Public/Private Key Pair on an isolated high-security box. Copy the Public Key to the Web Server where all the data is being received from. Use that key to encrypt the data and store it in a DB (preferrably on a box seperate from the Web Server.)

Once a month, the high security box will connect to the DB and use the Private Key to decrypt the information and transfer it to the pay agent. Configure this box very carefully and only allow it to talk to the DB box and the Pay Agent's server. Also, if you want to be extra careful keep the private key in a smart card and lock that up in a safe during the rest of the month.

Internal Controls

[jayfoo2]

Absolutely key to securing financial data (or really any data) is the use of good internal controls.

Most technologists spend a lot of time securing their data from external attack (i.e. a cracker). This is important but it is not the most likely threat.

Well over half of all thefts of financial data are committed by employees/trusted users of the company. Sometimes by the people who maintain the system and sometimes by others.

You combat this two ways. First with technology, the system (in this case probably a database) that contains the data should be access controled. It is also a good idea (and required by visa/MC) to encrypt the data. Another thing to watch out for is that you are not putting the credit card data into any other places, i.e. log files. you need to physically control access to the hardware running the system. Finally watch out for your backup tapes/media, especially if they are stored offsite.

On the soft side you want to have good audit controls on the data. Whatever method is used to access the data should leave a record of it doing so in a manner that is hard to compromise. People who don't need access to that data should not be allowed near it. Finally you need to be able to trust the people with access to the sensitive data, depending on the level of sensitivity this could involve cursory or invasive background checks. Banks background check their employees rather carefully, and for a reason.

Re:Internal Controls

It is also a good idea (and required by visa/MC) to encrypt the data.

*buzzzz* Wrong! But thanks for playing!

I worked for a *large* e-commerce company (and one that's still around) that for a long time did *not* encrypt credit cards numbers in the database. Sure the transmission was encrypted, but that's just a small piece of the puzzle. I doubt there are any URLs backing up the claim, but even if there are I can personally vouch for the fact that they are not enforced.

lots of one-way gateways

[markj02]

Well, the billing system needs to store the customer data in plaintext in order to present it to the remote machine. That, of course, makes it very vulnerable.

I would probably choose an architecture that has a dedicated machine for just the periodic billing to the credit card processor. The machine would sit behind its own hardware firewall (real cheap now) and only be permitted to make outgoing connections (no open ports on the firewall). The web servers would gather updates to user information and make them available for pick-up by the dedicated machine; once picked up, they should get securely deleted from the web servers (keep the data off the disk, purge the swap partition periodically, worry about transaction logs).

The billing server needs to make backups of the billing information. It can encrypt those and push the encrypted data out. When the machine fails, as it will sooner or later, you can restore from the encrypted information outside the firewall.

You still need to ensure that the web servers themselves aren't compromised because otherwise people can collect data there as it is submitted by users, but you always have that problem. Personally, I like continuous monitoring of system files and network connections, together with automatic periodic reinstalls. You probably also should have independent sanity checks on the update records (check for size limits, etc.).

I'd strongly recommend not writing any of this stuff in C/C++ or Perl. In the former, the probability of pointer bugs or buffer overruns is too high, and in the latter, it's too easy to leave out error checking. I'd probably go with Java--it's not perfect, but it's mainstream and reasonably mature.

Re:lots of one-way gateways

[markj02]

Well, the billing system needs to store the customer data in plaintext in order to present it to the remote machine. That, of course, makes it very vulnerable.

I should add that if you are really worried, you can store the data in encrypted form on the server and use manual intervention (smart card, password) for decrypting it and sending it to the credit card processor. Then, the machine can only be compromised when a human is present, and you could even ensure that multiple employees have to be present for billing, if you wanted to. But that's probably overkill for credit card numbers, which are not that hard to come by and protect consumers fairly well anyway.

"My Honda isn't a Ferrari..."

[somethingwicked]

I see this same mentality on some of the car related boards that I go to (luckily appears that this is not the programmer's requirement for Surepay)

Some things you can "sup-up", but certain features don't come on the Yugos of the world...Good luck on reprogramming the manager instead

Public key crypto

[ka9dgx]

It sounds like you need a public/private key pair. The public key could be used on your webserver to generate records to go INTO your database, which could then only be decrypted by the private key. Keep the private key offline, except when it's being used during the billing cycle (you could use an offline computer to be really secure about the billing processing). This should give you the flexiblity you need, being able to write the data at any time, and only read it with the proper key.

I would imagine that the good old fashioned command line incarnation of PGP would be quite good at doing the encryption, as your write access traffic is quite likely to be very low.

Keep physical security, and redundant secure backups, and you should be set.

--Mike--

Hire the right experts.

[bluGill]

Bruce S. (I'm not gonna try to spell is last name) of Applied Cryptology fame is where I would start. Read his books, do a formal design of the system, and then hire him/his company to aduit your design BEFORE you start coding.

Don't forget to have a range of secure systems to work with. Run the web server on openBSD, and have the dataBase on trusted solaris. And use a good database and firewall (none come to mind off hand. (Note I'm giving examples, you can mix and match to please, just so long as they have to break several systems to get the data, none of which trust the others)

Take the additude that your web server will be cracked. Do your best to detect that. your firewall should protect the database (unless it is hacked!), and the database doesn't trust the firewall. With good detection you should shut down the front line systems before the cracker gets to the back end.

Remember to have experts aduit your design. Have other experts audit your code. (the later is hard, but it helps a lot)

Security vs. Liability...

[dudelar]

As you consider ways in which to provide safe escrow for the customer's personal information, you might consider consulting your corporate attorney to get an appropriate waiver of liability in place. By storing the credit information beyond the life of the immediate transaction with your payment service, you're opening yourself up to additional exposure to yourself that I'd imagine isn't covered by the contract with the credit card processor. It looks like you're stuck in the realm of symmetric encryption techniques for the information, and there are steps you can take to protect your encryption keys. But even with good physical and software security (hardcopy keys in bank vaults, regular key rotation) it would be prudent to limit your liability. Something else to to check into is any additional privacy regulations that may apply if you end up being a financial "intermediary". One of particular note is Graham-Leach-Bliley which requires certain disclosures when you have certain roles in financial transactions. Again, a real legal opinion is probably your best bet here.

Information wants to be free

[Dionysus]

Why encrypt it? Kinda parasitic to keep information from people, isn't it? And they're not thiefs. They're information liberators.

Ditch Surepay...

[Brendan+Byrd]

If they don't support recurring payments, maybe that's the initial problem. I guess your PHB doesn't like that idea, does he?

In terms of security/responsibility, it's impossible to create a 100% secure system, but as long as security is a focus in your software (and it isn't rushed), it's destined to be as secure as possible.

I guess I could list a few pointers to help you out, though (in random order):

• Don't trust HTML pages to give the correct limitations and forms. People can change local copies and send any data they want.
• Never use "secret" URLs, unless you use some sort of HTTP passwording system, or something else similar. (This has been the cause of many data-theft attacks.)
• Encourage customers to use secure passwords, such as 6+ characters, letter/number & upper/lower combos, no dictionary words, etc. (And for god's sake, let them use spaces, if they want.)
• Store billing information in a seperate system than the web server or any other system. Put the billing server behind the firewall on a private-class network. If one gets hacked, the billing data is safe.
• Make use of that 3-digit number on the back of CCs to verify that they aren't stealing numbers. (I really don't know if that's possible, but you should investigate it, as it would curb a lot of usage on stolen CC numbers, unless they have the physical card.)

Check with Visa

Visa has some pretty clear rules about what online sites should, and shouldn't do, with credit card data.

Single sign-on, encryption, restricted access, with (potential) fines for vendors that cause excessive problems. With these, Visa claims a fraud rate of 1% was dropped to 0.06%. If it were me, I'd work with either the CC processor or Visa to work out recurring payments. Make sure you're not legally on the hook for any mistakes or breaches.

My wife uses throw-a-way numbers, I change them at the first hint of a fraud problem -- both are going to cause you headaches.

I hate vendors who back-end credit card information and work very hard to avoid them. You could do us a big favor and alude to the vendor (so we know who to avoid).

Re:Check with Visa

[Pituritus+Ani]

I use throwaway numbers (like American Express Private Payments) to avoid being forced into a subscription for something I just want to buy once (e.g. Consumer Reports--you can't buy just a month; you have to commit to recurring billing. Solution: use a throwaway number. If I forget to cancel, no problem, charge bounces and CU cancels for me.)

Moral of the story? If you offer recurring billing, make sure there's a way for a customer to sign up short term or make a one-time purchase. If there's not, the customer will create one, causing the merchant potential headaches.

Store CC info offline

You need to make a write-only link from the site to a machine that is only connected to the net when needed (during processing). Write the CC info over this link as it comes in. To be really secure, then move this info off the machine to a machine that is not connected to the internet at all (via sneakernet). In any event, that is _all_ this machine will do is process the monthly cc charges.

Then, you can process the cc transactions in bulk as needed. Since the only time the machine is connected to the internet is when it's processing, it's fairly secure. Still, take all the standard precautions (firewall, etc). Since you can block all incoming ports and only open a few outgoing ports and no servers will be running on the box, it will be secure (esp if you use something like OpenBSD).

If you want to be really paranoid, you can do some data rate checking on your internet interface (eth0, dialup, whatever). You know all the data that you will write out and can make a good guess how much data will come back. If this changes by too wide a margin, something is wrong and you should take a look. If you do that, the box will be unhackable remotely (at least all attempts will be detected, and stopped before data is snagged). Someone would have to break in and know to disabled the byte counter before the alarm goes and the connection is dropped, and it's doubtfull they could do so w/o tripping the meter in the first place.

If you can't have a write-only link to a machine you have access to, you'll have to encrypt the cc info as it comes in (make sure it never hits disk unencrypted). Do not store the decryption key anywhere on the server! Then move this file offline to your cc transaction machine.

Log it.

[TheSHAD0W]

Having credit card data available on your system is a huge potential problem; any security hole might be exploited, and even if none of the card #s are misused, it would make your customers very unhappy.

I'd recommend transferring the card numbers to another machine via a logging-type channel; in other words, send the card number and billing data to a logger on a machine with no other servers running. The fewer open ports, the less chance of the machine being exploited. An application on that machine could then read the log and insert the appropriate information into its database, and perform the billing functions as needed.

Re:Log it.

yeah, if we were in third grade, grow up, chump, your primitive "security" ideas are just fucking pathetic. go home.

Re:Log it.

Yay! TheShad0w has graced us with another ill-thought out idea blessed with his +1 bonus. Maybe he's the world's biggest moron. Only tomorrow will tell!

Visa and M/C rules

I pretty sure there are Visa and MasterCard rules that say you are not to store customer credit card numbers in any kind of database. Yes I know everyone does it.
My idea is to have the box that does the monthly processing that has an interface that lets card numbers in but not out. And beyond that no other connetions.

NIH?

[hey!]

There's lots of issues with storing credit cards, not the least is showing that individuals working for you can't misuse the data and would have difficulty even colluding to misuse the data. I know, I was a IT director in the pre-dotcom days when people took these issues seriously.

Hopefully, there will be some insightful answers posted to /., but I think there are some other parties you may wish to ask. If you have a good CPA, they will know how this issue is handled in related businesses. Also, don't forget the credit card companies themselves, who should be willing to share their ideas for "best practices" when using their products. Remember, they have a vested interest in making their products convenient and safe for vendors to use.

Finally, this seems like a commodity sort of task that involves lots of headaches to get right (like payroll). Perhaps it would be better to buy the solution from a vendor/service beureau that can handle your requirements and so you can concentrate on the things which differentiate you. If,on the other hand, you are in the business of managing this kind of information you should have people on your team with considerable real world experience in this.

Good luck.

Good practices

[Pinball+Wizard]

Here, in a nutshell, is how I do it.

1 - I use OpenBSD for firewalling. You limit connections to your machines by only allowing specific ports to connect to that machine. You can also control which way connections are allowed to connect. For instance you might wish to limit connections to your web server to port 80. For the database server that will hold the credit card data, a good way to do it would be to allow port 22 into the server, and no traffic whatsoever to leave the server.

2 - Use private key encryption. There is no need for anyone but you to have the key so use a good private-key encryption on your data server. Triple-DES is a good choice. It comes free with OpenBSD

So, basically, what you need are two OpenBSD boxen, and the expertise to set up two firewalls, SSH, and Triple-DES. Then, to get your data, a cracker has to 1)Crack two OpenBSD boxes 2) Exploit a hole in OpenSSH 3) brute-force Triple-DES.

In other words, they will be having snowball fights in the ninth layer of hell before someone gets to your data.

Re:Good practices

[crucini]

Use private key encryption. There is no need for anyone but you to have the key

I don't get it. How will the system encrypt the card numbers if it doesn't have the key?

Re:Good practices

[emn-slashdot]

you are dumb.

-Jacksoff Withpoop

Re:Good practices

[emn-slashdot]

Obviously, you have no idea what you are talking about.

Re:Good practices

[Pinball+Wizard]

I run an ecommerce web site that has never been cracked.

So tell me, smart guy, how exactly would you get past two OpenBSD firewalls and Triple-DES?

Re:Good practices

[Pinball+Wizard]

The system would have the key. Public key means that an untrusted system can get a copy of the key. SSH and SSL are examples of public key encryption. A private key is only given out to certain trusted systems. So the only way to read a data file encrypted with private key encryption is to somehow steal the key.

Re:Good practices

The issue you seem to miss is that a firewall is completely useless if the services you offer on machines that you allow access to are weak. I'm sure your OpenBSD firewalls could be the most secure machines on the face of the earth, but if just 1 fucking exchange servers you havn't patched since NT 3.51 is in the open than your entire network is comprimised. I hope you understand how stupid you are because I'd hate to accidentally buy something at your god-awful book store and get my credit cards stolen off your SQL server that still has the (baby-fucking) default password.

Now stop your bitching and get a security tech with balls enough to Just Say No(tm) to shitty software. I hate you fucking morons. How many of you dumb fuckers have relied on the ol' "Security? Well, we have a firewall" mentality. You are a dieing breed of morons.

-Jacksoff Withpoop

Re:Good practices

too many people think that a firewall makes the network secure... obviously that idiot is one of them... i wish they would stop acting like they know what they are doing because when the site is hacked and the business gets sued by the credit-card corporations they are going to be out of a job. die fucking communist pig-dogs. die.

Re:Good practices

never been cracked?

I'm sure you think all crackers would leave you a nice note on your index.html telling you he cracked your site and is in the process of ruining your customer's credit. Let me clue you in... You are in a fantacy world. You are blind, and delusional. It's going to suck when you get 1000 copies of "Anal Sluts II" in the mail courtisy of your customers... I'm sure they would give a fuck about your useless OpenBSD fucking firewalls then will they?

More importantly, will you give a fuck about your useless fucking OpenBSD firewalls when you are out of a job?

Fuck off you ignorant, baby fucking prick.

With love,
Your Troll

Re:Good practices

[Pinball+Wizard]

I never said I was secure just because I have a firewall. I understand that security is a process rather than a piece of software.

There is nothing accessible to my outside network that doesn't have up to date patches. I don't run exchange for email. I definitely don't have default passwords, anywhere. I don't quite understand why you keep calling me names and insisting my site is insecure. It isn't - and the examples you just gave are totally baseless.

I only have one piece of software that I don't fully trust, and thats IIS(fully patched BTW). But you can't get to credit card info through it, and besides, its getting replaced by Apache very soon.

You'll have to find some other moron to pick on, because I don't do the stupid things you accuse me of.

Re:Good practices

I hope they force you to suck the embalming fluid from your dead grandmother's cunt when you burn in hades you fucking baby fucker.

Re:Good practices

no shit. right?

-kidney-thief

Re:Good practices

rule #2 in the basic network security for morons who fuck sheep: Don't trust any application you didn't write yourself. That includes compilers. Do you have any idea how many people have the skill to reverse engineer just about any code on any platform? far more than you think. actually, it is rather easy when you get the hang of it. I'm more intimate with hex than I am my girlfriend. Do you think it's in the best interests of the corporations to spend all the money, time, effort required to release patches for security vulnerabilities? And how much it sucks to have it be on every shitty news site on the internet? Companies don't release patches until after the public knows about it. This has been ESPECIALLY true for MicroSoft(tm).

remember that stupid "netscapeengineersareweenies" exploit for IIS? Remember how many years MicroSoft(tm) kept the entire vulnerability under wraps? Perhaps you should adjust your fro, cause I just bent it.

With Love,
Your Troll

Re:Good practices

here here

Hax0r can just root the data input section...

and steal the new card entries.

What does it matter if you lose 1 credit card to a hacker or all of them, you're website's credibility is completely devastated either way..

Algore can do it!

[Kamel+Jockey]

I said it before, I'll say it again... hire Al Gore to protect the data, he will put it a real lockbox where no one can touch it!

How I would do it.

[pauldy]

I would setup a single sytem without any open ports whatsoever. I would then use something like gpg to store encrypted data submited by the user of the website in a predefined dir on the server in question. So you get the cc info and imidiatly put it in a gpg file where only the server has the key. Then run an hourly job to grab files from the webserver via sftp. And decrypt them and store them to a data base on your server. This would be simple enough to setup and impossible to do anything except grab cc numbers from the webserver.

Careful-- your plan might be illegal

[ghostlibrary]

Be careful. I read the surepay site and couldn't find the specific terms of service (TOS), but based on experience with other sites (paypal, propay, instabill, etc), your plan may be illegal.

If they are going the cheap way (visit their site, buy via link to surepay, return to their site), then the TOS likely says "customers must enter information themselves" (merchants cannot just fill out the 'credit slip' for them).

This comes up even with some online merchant accounts-- that the _customer_ must fill out each charge slip that gets processed, and the merchant can't just fill it out for them.

It's a crucial difference that means implementing your own 'fake the customer re-submitting the info to mimic recurrent billing' could violate the TOS and, in turn, Surepay's own arrangements for their bank.

Of course, if they're using Surepay's premium, it might be do-able-- but that that point, between paying Surepay premium plus hiring you for coding, they're best off just getting their own merchant account and having you code locally-- and securely-- to do what they wanted in the first place.

Merchant banking is not a place for hacks.

A matter of philosophy

[mlknowle]

I'm sure others here will offer concrete advice on setting such a system
up, so I'll share my experiences in implementing such systems.

Something important to remember is that security shouldn't be scaled with
popularity; sites often imagine that their (relative) obscurity insures
that they will not be targeted, that security is something that only
Amazon.com should worry about. This is, of course, far from the truth - in
my experience, thieves (I will not call them 'hackers' or anything like
that) target sites whose security and billing systems they know are small
enough not to take major security steps. The best way to approach it is to
implement a high level of security in every billing-sensitive system, not
because it is truly secure, but because other systems are less secure (the
deterrent effect).

One client I recently assisted was a medium-sized liberal arts university
who accepted online applications and the accompanying credit card info
(for application fees) with absolutely no security - everything was sent
to plain text files on the servers and then forwarded via internal email.
Their attitude was that as a university they wouldn't be targeted. They
were fortunate enough not to have lost any major information (that we
could determine) but they were foolish to put themselves in a situation
where their reputation (let alone their customers' information) could have
been compromised

But it's still on the server

[A+nonymous+Coward]

If someone cracks the web server, then they also have access to the web server code which decrypts the database info.

If it's readable by the web server, then it's also readable by a cracked web server.

You really need the secret info on a separate machine, with the CC machine never regurgitating anything except a simple answer (valid / invalid) in response to the full set of info (CC#, expiration, name, address). The only info a cracked web server can get is answers to random info, and it would take too long for the cracked web server to try random possibilities.

Fire's cool!

[Kamel+Jockey]

But what happens if a fire torches your filing cabinet? Would you have backups of the data (presumably Xerox copies)? And if so, where would they be stored? Also, what happens if someone were to break into the premesis (probably a disgruntled employee)?

Sounds silly, but all this can and does happen! In this case, the other posters have it right, hire the experts, but more importantly, *LISTEN* to them as well.

Right on.

[einhverfr]

It is possible to do this with reasonable security, but it requires continual effort and more detail that one will get off /.

I suggest you offload it to someone else if possible. This will reduce your PR liability and allow someone else to worry about the headache. I am assuming that you are asking this here because you have no full-time computer security staff (I would not even attempt something like this without the full-time security staff in place).

Re:Right on.

[npkatz]

full-time security staff? what company can afford this anymore other than the F10 (maybe). My former employer can't even afford good developers.

Re:Right on.

[einhverfr]

Then you should not do something as risky (politically) as storing CC#'s locally if you cannot afford to do it properly. It will cost you MUCH more in the long run.

The Question indicates this is going to fail.

[XorA]

The very way this question is worded indicates the person asking it is thinking the wrong way. The billing system has NOTHING to do with the web site, they should be seperate, if the CC information is not held on the web site then no haxor no matter how good he is can steal it from the website.

Website should be for providing info, billing systems should be for billing people. The website should be able to send info to the billing system but not vice versa. There is no need for a billing system to face externally. Just remeber not to store web transaction logs on your website in plain view and you have the problem sorted.

Remove the information physically...

[El+Camino+SS]

Here's an idea.

Put the subscription information on a removable hard drive...

Upadate it daily, and pull it out daily. Wipe out new information on web. Lock up drive. Back it up. Client communications about their account should occur over telephone. And be altered in the closed system.

Also, a good security system if the client wants to see account information is to use what my bank does... give them a new account identity number(with letters too) that has nothing to do with the credit numbers. So when the thieves steal the information, it is only useful to your company and not the rest of the world.

After that point, they would have to physically get into your company and system to pull off any information.

Re:Remove the information physically...

[CarbonJackson]

As a further precautionary method, whenever you speak to someone on the phone, speak in a muffled voice. You might also want to give yourself a cool nickname, like "Condor".

Re:Remove the information physically...

[Peridriga]

Upadate [sic] it daily, and pull it out daily. Wipe out new information on web. Lock up drive. Back it up..

Kinda hard to do w/ a 24/7/365 site...

Also... kinda hard to back-up data after it's been locked up...

Re:This is a social problem, not a technical probl

[GigsVT]

Obviously, you'll need to store the actual billing information in a database, in cleartext

Uhhh, Why?

PayPal

[zmokhtar]

PayPal has a great subscriptiong processing system. I have been using it for 6 months and have processed $5000.00 worth of transactions without a glitch.

I do routinely transfer all of my funds to my bank account because of some of the complaints I've read.

More of a network design issue

[jfsather]

One would assume that you don't allow all sorts of evil things past your firewall. Lets expand on the intent of what you are trying to do and also assume that there needs to be internal access to the data as well--customer support, phone registration, etc. What would you do in that case?

Certainly you can wrap the calls (client or web) in something like SOAP/XMLRPC/RMI/Corba and then use an encryption package over it. I built something similar to talk to a credit card authorization system using XML over HTTPS with the Java JSSE library extensions. You could certainly do this internally and to the remote authentication system as well.

The problem most sites seem to have is where the data is located and how access is allowed. Provided you are not putting your client info DB out on the net and leave it inside and protected you shouldn't have much of a problem. Do customers need to change their credit card numbers? One assumes they do and will be prompted when the card expires. This means the web server needs to have access to that data. If not, lock it inside your network and only allow writes to the database and reads only to the monthly revalidation program. In an ideal world, the internal program would have a direct link to the payment system and not have to use the net at all. You should really try to build some data abstraction layers into the system so even if the web server is hacked it can't be used as a platform to run SQL statements directly against the customer data DB. Most of the posts here seem to be about encrytion and the like, but in reality if you allow access by the web server and it is hacked you are pretty much SOL if you have a visable API through a server-side scripted language. Just IMHO.

-J

e-Citadel approach

[twenex]

There is a documented approach to storing of sensitive customer information that I think makes a lot of sense. It is brought to you by Cybersource and the SIIA and is available here

Questing about hashing

[utdpenguin]

Ok, a lot of people are saying to hash it so that it cant be unencrypted if stolen. Am I missing somehting here or will a dictionary attack not work? I mean, you know how long a credit card numebr is,a nd you know it only using numbers. And most of the customers will have common names. What am I missing?

Re:Questing about hashing

[mindstrm]

Yes, brute force would work.

Hashing it is pointless; you NEED to be able to decrypt it.. otherwise you can't process further credit card transactions...

Re:Questing about hashing

[danielrose]

Hashing refers to a one way hash. Once you hash it, you can't "unhash" it. Hence it is of no value if you need to USE the data, not just VERIFY it, so it won't work here.

Store CC info on another box

[skinny23]

I'd just slap the CC information on a box that's not accessible to the outside world. Turn off everything you can on it, etc.

SurePay is being discontinued

[Animats]

SurePay is on the way out. They've made a deal with Verisign to migrate users to the Verisign Managed Payment Gateway. The SurePay gateway is only being maintained for existing customers. It should not be used for new development.

pr0n?

Is this for a Porn site?
Hehe

Why should we tell you?

[nochops]

Sure it's possible, but why should I tell you.

Man, I wish I could get a job like you. If I don't know how to do my job, I'll just ask on slashdot. After all, that's what open source is all about, right? Using other people's donated knowledge to make yourself look smart for the boss, while at the same time earning loads of $$$ for your company and their clients.

Get a life, and an education.

Re:Why should we tell you?

Aren't we on a power trip?

Go back to writing your email viruses little boy...

best security, don't be there

Store all this sensitive data on a zip or jazz disk. Something removable and recordable. Put the disk in a computer once a month for billing. Other non-sensitive info can remain on your machines.

No hacker in the world can get to a disk that's not present.

consider the following logical layout

I would consider placing the data on an isolated machine encrypted via a 2 way algorithm (AES, DES, etc). All access to/from this machine would be via an intermediary machine which only is allowed to do the following:

* submit a cc to the holding server, along with some identifying information (e.g. account# ,etc)
* ask if a cc # is valid
* submit a request for a cc transaction
* retrieve a _portion_ of the CC number(s) associated with an account(look at most popular sites that reveal cc info, you'll note that they x out all but a teensy bit)

I would recommend that the connection between the machine holding the full cc info and the machine running the intermediary app be either serial, or an ethernet cross cable. this will prevent the data from inadvertantly being placed on a network. There shouldn't be _any_ other connection, save the console, to the machine containing the full CC information.

CC companies might object as well...

[Yahnz]

Some CC do not want you storing their #'s on your servers either. You should also talk to your bank, as they may object on grounds of increased financial risk (of fraudulant activity).

hmm.

There are already too many Pr0n sites. Why do you need to set up another?

what has been done in the past ...

[skelley]

... you have a front box connected somehow to the internet where your client interactions take place. The data is stored in a database (or whatever) on a second box. This second box is directly connected to the first box via a cable so it has no other network connection. Encrypt the CC data at every step (incoming, between the boxes, in the database, transmission to the paymeny processor, etc.). Harden box boxes as much as possible (maybe use OpenBSD for the OS). Don't store the encryption keys on the systems. Change them regularly. Use SecurID or something validate logging into into the servers. Basically assume that the hacker can get on your network and on your boxes as root. Using this model it is very difficult to get a CC number, even if you are root. One would have to start sifting through the kernel and other icky things.

MordernBill and Ubersmith

[Smirks]

Well, depending on if you want to store the credit card info on your servers or if you want to store it on someone elses servers.

If you want to store the info on your own servers the best solution for you would probably be ModernBill. It offers an integrated signup process and user management. It can also automatically talk to payment gateways such as AuthorizeNet. Highly reccomended by many. Check out http://www.modernbill.com.

If you want to keep your customer info offsite you can check out Ubersmith, which is provided by voxel.net. This is also very good and I know many people who use it. The only problem here is price. It's rather expensive to go this way, but if you can afford it it's probably the best way to go.

Hope those all help. ;)

Use encryption

[anthony_dipierro]

Convert the credit card numbers into a series of letters. 0=A, 1=B, 2=C, etc. Then if someone breaks into your Microsoft SQL Server, all they'll get is a random string of letters, not your customers' credit card information.

Re:Use encryption

[Peridriga]

Use encryption

--- Convert the credit card numbers into a series of letters. 0=A, 1=B, 2=C, etc

Not ENCRYPTION... Thats Translating

And... If I saw a table of data ALKS-AETD-KJHU-KJHO next to Name, Address, Billing Address... I'm gonna know exactly what that is....

Re:Use encryption

And... If I saw a table of data ALKS-AETD-KJHU-KJHO next to Name, Address, Billing Address... I'm gonna know exactly what that is....

...and you'd be wrong if you thought is was a credit card using a caesar cipher with A=0. What credit card numbers start with 0? IIRC, 3=AMEX, 4=VISA, 5=MC, 6=DISC (and I think 2 or 1 is Diner's Club), but I've never seen a 0. Also, 0-9 yields only A-J, and you used more than 10 different letters in your example! Sheesh.

But yeah I'm just being mean and picking nits. :) Any "encryption" that can be undone with 'tr' is no encryption in my book.

Re:Use encryption

[anthony_dipierro]

And... If I saw a table of data ALKS-AETD-KJHU-KJHO next to Name, Address, Billing Address... I'm gonna know exactly what that is....

That's why I always reverse the credit card number first. Just to fool hackers like you.

Re:Use encryption

[Trukster]

If someone hacks your sql database it will likely be after they root your web server and get the sql server/database/id/password info from the source of your webapp. If you use your own reversible encryption they will have your source to see how you do it.

Re:Use encryption

[anthony_dipierro]

It surprising that someone would take me seriously after making such ridiculous comments. TWAJS.

Choose the payment software wisely

[phamlen]

1) As other people have mentioned, the biggest decision is which pay service to use in the first place. The wrong package will result in you:

implementing strong security on a system, which is difficult to do right

implementing a lot of customer service tools (to look up credit card numbers, issue refunds, track chargebacks, etc.)

generally spending more time than necessary in order to poorly implement something that another company has already done. Remember, the billing services are the ones who should be figuring out how to store credit cards, be secure, etc.

2) The place to look for payment systems is: here

3) Be sure to understand the Customer Service issue. It is quite reasonable to expect that Customer Service will ask to be able to "look at" Credit Card numbers, but consider carefully whether they need to see the Credit Card numbers or just search on the credit card numbers.

In my experience, you may end up spending more time writing the customer service interface than writing the customer interface - they may need to issue refunds to a card, they may need to investigate chargebacks (a BIG issue - especially with recurring charges.)

4) Avoid storing the credit cards if at all possible (but understand how you'll issue refunds and search for credit card numbers). As everyone states here, the security required in order to make this secure is easily weeks worth of effort. Again, picking the right payment service can eliminate this effort.

5) Remember, the client probably doesn't care about security enough to jeopardize payment - this is a clear case where the client probably wants his money more than he cares about preventing "potential attacks".

database security

[Twillerror]

Limit the access that the web server has to you database, and then use views/encryption to hide/protect your data from the web servers prospective.

If your using a good database you should be able to configure it based on ip's or mac addresses for specific accounts. So setup your super user accounts with tight IP restriction. Then setup an account for the web server and restrict it to only the web server. That way if someone takes over your web server they will not be able to authenicate to the database using the super user account. Providing that the database does not have any security flaws.

At this point restrict select access to the CC table to only the super user account. Then create a view that returns the last four digits of the credit card number, the rest *'s. Something like ************8721. When someone issues a select statement on the CC table this is the only info they will be able to get back. If you name the main CC table something weird, the view something simple like Credit_cards, and then restrict your system tables the hacker may get fooled. Of course they would have not know anything about db's to figure out it was a view.

There may be cases when your admins or certain users need to access the full number to verify it or for other reasons. Since they will probably be using the web server to do this you can create a stored proc that has access to the info, but will only return one number at a time. Of course you will need to implement the stored proc in such as way that some security token needs to be passed to get the info. If the proc fails track it.

Another approach might be to link your two database servers together in some manner and store your CC in another database. Only store the last 4 digits and a pointer ( foriegn key ) to the other db record in your local database. Of course a hacker could leap frog onto that database, but if you do a good job of hiding it's existance it could be a road block if the hacker does not have inside information. If you log communication between the two servers, and setup some type of application level authenication between the two you might be able to catch the hacker trying to figure it out.

Bottom line is if someone takes over your web server, and it has access to the CC's in anyway your never going to be totally safe. Ask yourself if you could get in with all the knowledge of the system you have.

And also, don't be to proud to ask for help. Get a security consultant and have them try and hack in before you go live. In fact get several companies to try, it might cost a pretty penny, but you can put it in your privacy statement to your customers.

Re:database security

[SuiteSisterMary]

If the proc fails track it.

Better yet, use a trigger that, on read, checks the date of the last payment, and if it's not a month later (i.e. if the card number isn't being read at the right time for it to be a subscription) scream bloody murder.

Re:Why not ask the President? @# +1 ; Informative

zzzzzzzzzzzzz.................. uh... huh?

*shrug*

Re:Why not ask the President? @# +1 ; Informative

AY-YI-YI-YI-YI-YI-YI

Doesn't Surepay store the CC numbers?

[jfp51]

I just had a thought. I know that with Cybercash at least, they store the CC numbers on THEIR servers once you have done a transaction. You can query their database (using the original order number) and get the credit card numbers, manually enter a PO and charge the credit card. I also know that you can script all this so it you can automate it.

This is all done through SSL, and you never have the CC numbers on your system. The responsability is out of your hands.

As the old saying goes...

[rob_from_ca]

If you have to ask this question on Slashdot, then you shouldn't be doing it. Read "Secrets and Lies," and then think about the question some more.

Security vs. Convience

[geekoid]

Like most security question, ultimatly this boils down to Security vs. Convience.
I've worked in a number of arenas tha involve handling credit card information.
Here is some of the mistakes I've seen, maybe you can avoid doing them.

I contracted at a known online shopping company. When I sat down at a terminal, my access gave me permissions to the database. My machine had a floppy drive AND a zip drive. none of the CC information was encrypted. I told my manager of that was a security problem? his response? released me for being a threat to their company.

there are at least three lessons in that story.

The only way to gain more security is force pin number use onto consumers. Not perfect, but a lot better. Oh yeah encryot it for goodness sake! good encryption. Also CC numbers that expire every 30 days.

Another idea...

[Primer]

1) Keep the data encrypted in the db

2) Keep the db on an internal 10.1.1.X network and only allow the db port to be accessed from the web server. Only allow ssh access from the dba's workstation. All this via firewalling, of course.

3) Use binaries for your web server programs, so that the encryption method can't be easily discovered if somehow your db server is compromised. Then, only allow the "update" priviledge to the db user that the web programs use, and...

4) Do the monthly billing directly from the database server via cron. The db server can be a 10.1.1.X machine and still have interet access via NAT.

5) Monitor your logs daily so that, in the event your web server IS compromised, you can stop them before any damage is incurred.

This crap about loading media and unloading it is not practical, since billing is going to be a daily occurence for most companies. The CC data will always need to be accesible. At least that's how things are where I work.

My solution

[Amorphous]

Howdy,

here's what I did when I implemented the same kind of service:

first, I choose PGP (GPG) to encrypt the user's CC information in a database on a safe Linux system (firewalled and using an IDS).

here's my logic: information can be encrypted anytime using the public key, but the private key must be used for decryption. The public key is then stored on the server, but not the private one.

In case of stealing, you're safe so far.

Only one program access the CC information and need the private key. On startup, it asks for two information: the "real" private key and a "passphrase" of a minimum length. the key is then XORED with the passphrase and the result is hidden in memory. The passphrase is then given to the employees and changed daily (or anytime you wish).

So the CC info can be read if:
1- the server process was started by a thrusted admin knowing the private key, and
2- the person accessing the data know the day's passphrase.

if the passphrase is protected while being sent to the server and the employees are either "thrusted" or "unable to hack a secured unix system and debug the memory to restore an xored key", the system should be safe enough

backups can be made (the key's nowhere nead the hard disks) and the information given to the employees, the passphrase, can't be reused after the end of the day.

and if it's not secure enough for our most paranoid contenders, it's fun to realise anyway :)

Re:My solution

[Xerithane]

Sorry, but I don't understand how you can label that as secure. I'm honestly not intending this as troll/flame, but it seems that security on a unix box is somewhat of a misnomer amongst the actual industry.

My methodology (and I have done direct work on this) is if it is not secure from root on the local box, it's not secure.. The software should maintain a level of segregation from that single server.

Let me give you a little bit of insight for your next run at it - variable key/algo encryption. Ensure that soon as it starts, the keys rotate and only a user logging in is able to restore the key hash properly (this can be done a number of different ways) and also ensures that only users looking at it know the key, and if you implement in a certain manner who looked at what, based off key history. It relies on a high degree of entropy, and can be CPU exhaustive but it is well worth it, imo. Being root on a box should not make any app insecure, and I hate seeing stuff like that. Employees are one thing, you can trust them. Maybe I'm missing something in your algorithm.. but it just seems that it's secure in-concept, that no one decides to attack your server. And also, it's not like the evil-ones have to know a whole heck of a lot to dump the memory of the process and work on it later, along with your CC database.

Re:My solution

[CNeb96]

Sounds pretty good but don't use XOR as a security measure. Openssl uses a one way hash of your passphrase along with an Initialization vector to encrypt your private key. I know you were just talking about in memory and not on disk but why not do it the right way?

Re:My solution

[Panaflex]

As long as the passphrase has sufficient entropy, I don't see why XOR is a problem. He could generate an RC40 or SHA1.. but XORING can be just as good. Usually the encryptionnmethod isn't the problem - it's usally the handling of it, and the entropy of it.

Of course, if he was pretty smart, he could go to a good random source and sample an hour of random data onto a CD, and xor his key with that (each day could have a different offset) and rotate the disks every couple of months making sure to never repeat the offset. This would basically be a good one-time-pad type solution.

Pan

Not a simple problem

[geraldthewes]

I've build similar systems in the past. It's not a simple problem. In addition to a very robust and well thought network architecture and a very robust encryption architecture for the Credit Cards as mentionned in the previous posts you have to deal with:

Credit Card reconciliation - when you bill on a monthly basis, a lot of cards expire, are cancelled, this needs to be detected, the user informed the next time he tries to use the service, etc... There needs to be good adminstrative/financial metrics to track these.

You need very good operational interfaces and a strong underlying architecture so that people get billed when they should, and not when they should not. It's easy in cruise mode, but harder to keep track as financial processors or external connectivity is down, or after an upgrade, or system crash or other usual operational down-time.

Things get also quite complicated quickly if you offer multiple subscription services (monthly, yearly, first month free, etc...)

This stuff is hard to get 100% right (and it needs to be 100% right). I agree with the other post that recommend either a provider that already does that, or buying software that already does this.

Yes!

[throbbingbrain.com]

I really hope the author of the original question read that post.

...and everyone who suggested "Trust the billing service" or "Use a firewall" - please tell me where you work so I'll know not to buy anything from them.

Security through obscurity doesn't work. Use the right tools.

Re:Yes!

[Cramer]

If you knew how most companies handle your CC number, you'd stop doing business with everyone, burn your CC, and start keeping all your money under your pillow along with your gun.

In my years as a system admin, I've seen some of the most backwards, stupid, and insane bullshit on the planet. This includes the bounced postmaster email containing several hundred (possibly thousands) of CC numbers from a "secure web site"; that "https" form to which the user's input was sent put all the information -- plain english, ASCII -- in a file and then e-mailed it to someone at the end of the day. (I bet I have a backup tape with hundreds of decade old CC numbers.)

recurring monthly payment

[UrsaB]

I have used IBill for two years for recurrent monthly billing, and I am delighted with the service. They have great customer service. http://www.ibill.com

Using public key...

[Zeinfeld]

This is conceptually a simple problem, but one that can get a little complex to build. One issue that many posters don not appear to have considered is that many merchants interchange agreements specificallly prohibit billing regular charges without specific authorizations. So first check that you have the right language in your contract.

The way the good payment gateways work is they give the merchant a client that encrypts the CC# under their public key at the merchant server so only they can decrypt it on the other end. Decryption is done in a specially partitioned area, usually with substantial physical security etc.

The reason you are using a payment gateway is (in part) because they provide that physical security for you so you want to avoid anything that requires you to effectively set up a secure area yourself. Simple though this may seem to the average slashdotter it is quite hard if you are using a co-location center. And no a firewall is not sufficient.

What you need to do is to see if your merchant gateway provides an API to the payment module. I beleive that surepay is moving over to use the VeriSign payment system. If so the module that encrypts the CC# in the payload did at one stage allow for offline preparation similar to that you suggest. Whether that is currently supported is another matter that would require a little reasearch.

Re:Using public key...

[crucini]

Good points, but I cannot really agree with leaning on the gateway's crypto scheme, if any. First of all, the bank we are using does not offer this. The session is of course SSL encrypted, but within the SSL connection the card number must be sent in the clear. Before anyone suggests changing banks, I don't choose the bank. And the bank will NOT be chosen based on technical criteria. It will be chosen based on financial/contractual issues.

The second, more general point, is that an e-commerce company must have the fleixibility to change clearing back-ends without impacting the customer. Using the gateway/bank's public key to encrypt card numbers prior to storage would lock us in to this one provider. That would be harmful to my company's interests in the long term. I cannot use any special features of the current clearing provider (which happens to be a bank) because my company needs to be able to switch to whichever provider is most advantageous.

Re:Using public key...

[Zeinfeld]

The second, more general point, is that an e-commerce company must have the fleixibility to change clearing back-ends without impacting the customer. Using the gateway/bank's public key to encrypt card numbers prior to storage would lock us in to this one provider.

Who said anything about choosing the bank? The whole point of the Signio Payflow scheme (now VeriSign payment gateway) is you can connect up to any acquirer bank in north america. Most customers then use the fact to negotiate lower rates because lowering the switching costs to close to zero means that they now have pricing power.

Under the old frame relay schemes you soon became captive to a particular bank or acquirer because none of them used the same implementation of the alleged standard.

If you can't choose your gateway you should perhaps tell your management that you don't have the necessary control to fulfill your job. We are talking about the region of $400/yr flat fee here for the basic connect.

The situation you describe suggests that you are already largely locked in to a particular back end.

Re:Using public key...

[crucini]

The whole point of the Signio Payflow scheme (now VeriSign payment gateway) is you can connect up to any acquirer bank in north america.

Thanks. I didn't know that. I can see how this could help get a better rate. However, it still seems to leave the e-commerce business vulnerable to an outside party unless they internally abstract the interface (which I do).

Under the old frame relay schemes you soon became captive to a particular bank or acquirer because none of them used the same implementation of the alleged standard.

I haven't worked on one of those, but I have implemented a few interfaces to clearing providers over the internet. In each case, I abstract the back end so that none of the terminology and field names of the particular provider leak into our systems, and so there is a clean and minimal interface to hook up a second provider. I've never actually had to hook up the second provider within a given framework, but it should be easy. So if you're using the internet for transit and properly abstracting the interface, there shouldn't be much feeling of lockin. Of course I take your point that Payflow communicates the customer's freedom of choice more effectively.

The situation you describe suggests that you are already largely locked in to a particular back end.

Only in the sense that the relevant decision-makers have so decided. If they decide differently in the future, I will not have much difficulty switching back ends.

Best idea I have heard yet.

Why not have the billing services provide their public key on their own web site. Then you can just encrypt the users billing info using the billers public key.

The biggest problem is that if you change billers then you won't be able to access your customers billling data.

The solution to that is to encrypt the data with _your_ public key as well, and have your private key on a unix box that runs no services and only allows access from the console. And you will need a password to access the public key.

Then if you change billers you can pull the records out one at a time to the secure box, decrypt them, then reencrypt them with the new billers public key.

Wash your hands, Cover your Ass.

[BlueFrog]

If you're here asking us how to do this, you might not be qualified to handle this sort of security issue.

You have basically two options:

1. Hire a security consultant
2. Let your client know that they need to hire a security consultant.

Either way, you need to let your client know about this issue, and ensure that you're not going to be held responsible in the event of data loss/theft. Try to tackle this one yourself, without enough experience, and you're setting yourself up for a heap of trouble. Be a professional. Know your limitations.

reminds me of an old story

[bluebomber]

While everyone is posting about how to make a super-secure infrastructure, I'm reminded of an old story:

Two guys are out camping. In the early morning, just past dawn, they hear noises near the campsite. Peeking out the front flap of the tent, they see a grizzly bear sniffing around the perimeter of the campsite. The first guy takes off running. The second guy yells, "Hey, you can't outrun a bear!" The first guy yells, "I don't have to, I just have to outrun you!"

Of course, if your site isn't perfectly secure, someone might break in and steal a bunch of CC numbers. But they're a lot less likely if your site is mostly secure and the insecure pieces involve a lot of resources (e.g. effort, money, planning, knowledge). Remember, neither the NSA nor the CIA is interested in stealing CC numbers...

SSL Encrypted

[mian]

We store the credit card information in MySQL encrypted using the PHP OpenSSL routines. Only the public key is stored on the server, the private key is offsite and can be pasted into a form when you need to retrieve the information and have the PHP script decrypt it for display purposes only (all over HTTPS ofcourse).

Secure it

[Spazmania]

Here's how:

Overview:

1) Put the critical private information on an isolated machine.
2) Permit authorized processes to connect to the isolated machine in WRITE ONLY mode.
3) Permit authorized processes to connect from the isolated machine to the surepay server.
4) Permit no other connections.

The details:

Set up some database server software on your isolated linux box.

Write a custom interface from the main system to the linux box which accepts the data into a chrooted environment while running as a normal user (not root).
Write software which retrieves the data from the chrooted environment (still not root) and stores it in the database.

Write software which connects from the isolated machine out to the surepay server as necessary.

Set up firewall rules (a la ipchains) such that the only connections permitted are from the general-purpose server that the user interfaces with, and to (but not from) the surepay servers.

Problems with this approach:

1) Can't verify billing status e.g. credit cards in real time.

2) Credit card data remains vulnerable during the path between when its entered at the web server and when the web server stores it to the isolated server and discards it.

1200 baud?

1200 baud? Me thinks my Apple //e had a faster modem! Maybe there is a better solution... first go to the users house, get the credit card, charge it with a portable credit card swiper (the 1970's version) and then bill from the carbon copies. It would be at least 2400 baud.

NO NO NO NO NO NO KNOW!

[Zero__Kelvin]

OK ... I've taken heat for saying this before on other topics, so I feel compelled to put my head on the chopping block again 8^}

If you have to ask Slashdot, you aren't qualified !!!!!

The legal liabilities alone make it an extremely bad idea to even try. As others have pointed out, you started with the wrong givens. If the service that they want you to use doesn't offer recurring billing, then they asked you to use the wrong service! If you can't convince them to use one that is suitable ... maybe because their brother-in-law owns it or something ... let their brother-in-law incur the liability! You definitely, definitely, definitely (did I mention definitely?) should NOT even attempt this !!!!

If you do anyway, good luck, because that is all that will save you from yourself!

Cheers!

Zero__Kelvin

..and how about the processor?

[SamMichaels]

I run an online store that has credit card processing via Cardservice with Linkpoint. I'm currently rewriting the real time authorization software for it because the system they use writes all the info to a plain text file, and shells out from within PHP to execute a binary which reads the temp file with the CC info. (FYI: I was thinking of doing an SSL PHP module hack)

I think a more important question is "Does the credit card processor have enough security?" Here is the reply from Linkpoint's coding team when I said that writing plain text to a temp file is unacceptable for me and my customers:

"Writing to a temp file is how the PHP wrapper works. It is only insecure if your server is an environment where a hacker can get in and grab that temp file. Don't you have a firewall up?? If you are running a secure server then writing the info to a temp file to pass to the LBIN object should not be a problem. We have thousands of people using this product currently. This is not a security risk."

The suggestions about using public/private key encryption is excellent...it's the system I use. But how is Surepay handling the cards? Are the other major gateways giving their clients the same kind of software? Do processors such as Paypal, Surepay, et al use this kind of software? All the security of your CC database won't mean a thing if that's not the method a cracker uses to grab the info...

Should send them a link to this Ask Slashdot...

Don't even bother trying

[SuiteSisterMary]

Pull a Kobyashi Maru, and change the parameters. Don't charge monthly, charge yearly. Store the date of subscription, and send an email out, once a week, starting two months before a subscription will expire, telling the user to come re-subscribe. That removes the entire requirement to store things.

Yeah, right....

[einhverfr]

OK. How do you charge the credit card, in this case? Certainly not in real-time.

A better solution (cost-benefit wise) would be to have an iron-clad server (SELinux, maybe) which only allowed a very limited number of possible users and programs to access the CC info. Use firewalls, and keep a full-time computer-security staff (at least one person) to be responsible for managing the security.

Re:Yeah, right....

[markj02]

The problem posed was recurring charges, not one-time real-time charges. Password protection would work this way: once a week/month, someone would walk up to the machine, run a virus check, verify the installation, sign off on a log, and then insert their smartcard into the machine. The server would use the smartcard to temporarily decrypt the CC information and post all the recurring charges to the CC processor. The benefit you gain is that you are guaranteed that security and logs are looked at by a person before any transactions go out.

Use firewalls, and keep a full-time computer-security staff (at least one person) to be responsible for managing the security.

Of course. And what I described is one of the approaches such a person could take if security is paramount (no server ports, manual checks before any information is decrypted).

SurePay

It looks like SurePay is just verisign's stuff with a different name. I've been using ibill.com for some time now with no major problems. They do recurring billing, and offer a rev share program (they will do all the paperwork). They are kinda expensive though, 10-15% of sales. There is also ccbill.com which is the same as ibill but they offer a revshare and CPC program.

SurePay

If he's stuck with SurePay then he may be stuck with just one box or God forbid virtual hosting. Which means forget storing CC's and forget adding a secure box.

Possible Solution

[jrinderle]

Here is a solution using PGP:

1.) Generate a new public/private key pair of significant length using PGP / OpenPGP on a detached (off the network) workstation.

2.) Store the public key on read-only media. Create two copies. One copy should be kept in a fireproof safe. The other will become a mounted filesystem on the web server.

3.) Repeat step 2 for the private key. Except, both copies of the key should be kept in a physically secure (restricted access) location.

4.) Delete the keys from the offline workstation. Delete the swap file. Wipe the free space on the workstation's hard disk. Power off the machine to clear its RAM.

4.) Mount the public key as a read-only filsystem on the webserver. Read-only media maintains integrity. I recommend it for everything critical that doesn't require writes (kernel, system binaries, HTML files). Once there are cached in memory there is no performance hit.

5. Modify your web application. Encrypt client credit card numbers using PGP and your public key.

6. When credit card processing time comes around (every night, once a week), copy the encypted credit card numbers to removable media. Retrieve the CD with your private key. Batch process the credit card numbers from an offline workstation, decrypting the numbers with the pricate key on the CD-ROM. All of this can easily be automated with shell / Perl / Python scripts.

Again, it is critical that you A) have a backup of your key pair, B) maintain the integrity of the keys with read-only media, C) physically restrict access to your keys (most importantly the private key, but it never hurts to be paranoid). Also, your private key should never come near the web server.

Remember, document the process. Define policy to administer the process. Develop contingency scenarios (what is the private key is lost, compromised, the hard disk in the web server fails, etc.). Define how you will recover from breeches in policy. Train your employees to act responsbily.

Proper cc security

[stuce]

Proper billing information security involves two steps: first, the ordinary system security that we all know about - protecting your system from breakins, physical security of the machines, etc. This is a big job in and of itself. On top of that, you then need to worry about encryption of the account information, so that if there is a break-in (either virtual or physical), you are not in a position to be blackmailed by the crackers.

More details can be found on my company's page about security, here. Allow me to boast for a moment and state that we are one of the only payment processors that uses a fully encrypted data storage system: no unencypted card numbers are ever writen to disk. Cool, eh?

As long as I'm evangelizing our service, I will also mention our Billing ID system. This is probably exactly the sort of thing you should be using for this application: not only does it do automated recurring billing, but it actually stores all the info in an encypted database so that you don't have to be responsible for holding that information locally. You can run transactions on the account either by using the six digit Billing ID returned by the original store transaction, or by scheduling one-time or repeated transactions through either the web interface or the TCLink API. It's a pretty nifty system, you might want to check it out for your app.

Get a better payment processor

[Adam+Wiggins]

I think what you are looking for is a payment processor which supports recurring billing as well as open source client APIs?
</plug>

No Magic Bullet

[rasilon]

There's no magic bullet for this - you can't say use GNUfoo or Sun iMumble, it'll do all you want and wipe you bum too.

The only one liner I can give you is Security In Depth. Use lots of layers of security and at every layer assume that the one above has been fully compromised. Your DMZ should be well firewalled, permit only ports 80 and 443 (HTTP and HTTPS), deny and log anything else. Your DMZ servers should assume that they can be attacked on any port from any host what so ever. Use the most minimal OS install you can and pick an OS that can be secured and will let you do a minimal install. RedHat has too many features for my taste - you don't want a friendly machine, you want a very unfriendly machine. I would suggest Slackware or Solaris from the general purpose OS pool, or Bastille Linux or OpenBSD from the secured OS pool. Disable or remove inetd completely - it tries to be friendly. Permit no unencrypted traffic. Use tripwire, and be able to reimage the mahines rapidly.

Your inner firewall should be of a different make to the outer one and should assume that all hosts in the DMZ are compromised. Permit only connections from specific hosts on specific ports to specific hosts on specific ports. Anything else should be denied, logged and the warning sirens sounded.

Behind here would be your working net where (relativly) non-secure business functions live. Once again, these hosts should assume the worst and that they have to fend for themselves. Etc. Use your imagination.

One last firewall, preferably a different make again, similar to the last, specific hosts and ports only. You may want to be more cautious about sounding the claxons however, windows likes to chat to things and users occasionally do silly but harmless things - this is not to say drop your guard, just that sleep is sometimes useful.

Next is the secure net. Absolute bare bones here. What this consists of depends on your application, but usually business logic, database and credit card processing live here, each on their own box, set to maximum paranoia security. Log everything, every login, every logout every process run, every request made, when and by whom. You'll need lots of disk space, archive regularly to read-only media, make several copies and store them in multiple secure locations.

IDS - Intrusion Detection Systems. These're useful, use lots - different types, different makes, even write a few of your own.

Incident response. What to do when your firewall is breached. What to do when your web servers are breached. What to do when your working net is breached. What to do when it is an inside job. What to do when your data is stolen. This is where your IDS comes in handy, if your data does walk, you must know where, when, how and who. Access procedures are useful. You will probably never be able to ensure that no one employee can steal your data, but you can ensure that no one employee can steal your data and cover their tracks.
Note that the word "if" was missing from the last paragraph. If lets you cross your fingers and hope it wont happen. Plan for when, not if.

Software. Encryption is good. Make sure and pick the right encryption for the job. Credit card data needs to be decrypted, I would suggest BlowFish, passwords don't - try MD5. Always practice safe key management remember your data is only as safe as your keys. Having said that, if your database encryption is ever tested for real you are this > < far away from a Worst Case Scenario.

Literature. There's lots of literature about, read some of it. Learn to break into computers, try to break into yours. Read some of the OpenBSD stuff, read Bugtraq and the other stuff at SecurityFocus, even if it isn't directly related, the attackers can think laterally, you must too. Try farther afield - failsafe engineering disciplines are a good start (try a google on SAFF for places it really matters.)

On second thought....

[jrinderle]

I posted a brief overview of a solution using PGP eariler. It was by no means perfect, just intended to point you in the right direction.

Then I began to read what others had posted....

The best advice I can give you is not to trust anything you read here. Some of the solutions suggested are just bad. I am a security professional so I have some experience in this area. As others have said, recognize that you are not equiped to handle this. Find someone who is.

But before you outsource, hire consultants, etc... remember -- technology is only a tool. I've seen technology based solutions that were more vulnerable than the problem.

You have a specific set of risks. Choose a solution that helps to mitigate those risks. Remember to document. Remember people actually have to use the system. Remember a create a well-defined process. Remember to create and enforce policy.

Also, look to the three R's. I could not find a single post that specifically mentioned recognition.

Resistance: how can I protect the integrity and privacy of the card numbers?
Recognition: how do you know if a breech of security has occured?
Recovery: how do we recover from said breech?

I am working on this right now.

[crucini]

My employer has the same requirement.
Step 1: Lower your expectations. In a perfect world you could do recurring billing, and yet an intruder could not obtain the payment card numbers. In reality, any scheme which allows an automated system to reconstitute the payment card numbers for billing purposes can be used by an intruder (assuming he has root on all your machines) to obtain the list of numbers. Therefore, the realistic goals are:

1. You cannot obtain any payment card numbers by getting root on one box.
   
2. Recreating a card number involves the coooperation of a secure box. This idea recognizes that a web server running a complex application cannot reach a high level of security. There are likely to be holes. However a "secure box" running a minimum of services and relatively simple code can be more trustworthy.
   
3. Any webserver can instruct the secure box to:
   1. Learn a new payment card.
   2. Charge a payment card.
   A webserver cannot request any information about a payment card, including the number. (This necessary for criterion 1).
   Implementation: When the secure box records a new payment card, it cryptographically splits the card number into two numbers N1 and N2, neither of which yield any information about the card number. (See Applied Cryptography). N1 is returned to the requesting webserver (which sticks N1 into the database as part of the customer record) while N2 is stored in a text file on the secure server, indexed by a sequence number that is also returned to the webserver and stored in the database.
   When a webserver wants to charge a card, it provides N1 and the sequence number to the secure box. The secure box internally reconstitutes the card number and charges the card.
   
   Clearly, there are vulnerabilities in this scheme. For example, an attacher could plant a trojan on the webservers which captures the payment card numbers before they are initially sent to the secure box. However we eliminate the ultimate nightmare of having thousands of card numbers copied in one quick attack. Also, of course, anyone who cracks a webserver can throw in bogus charges (accruing to us). This is a nice bit of sabotage, but doesn't make any money for the attacker.
   
   I have heard of more elaborate schemes, but they seem to consist of security through obscurity. You can make the reconstruction of the card number "complicated", but ultimately all the elements must be available to the automatic billing process. And if the box is cracked, you can assume that all the elements stored on that box have been copied.
   
   Therefore I think this scheme is about as secure as one can realistically get.

Honeypot

[Jebediah21]

It would be a good idea to build a few identical machines to act as honeypots. The nice thing about a honeypot (if they machines are identical (same case, drives, etc.)) is that it can deter both physical and net attacks.

One time Credit Card numbers.

[MZoom]

The credit card paradigm is whats causing the problem, not securing the cc numbers!

No matter what you do, or how you do it, there is always the potential for loosing the information...either by theft, fire, fraud, etc.

The only sensible way to "charge" things are, IMHO, by changing the way credit cards work.

Before anyone mods this as off topic, consider aquiring the ability to accept a credit card that does one time transaction numbers and when you enter into a selling relationship with a customer who does not utilize this kind of credit card ... suggest it!!!

This not only ensures your customer that you care about the security of thier transactions it also serves as an opporitunity to explain that there is always a chance, even if it's a remote one, that thier current credit card numbers can be comprimised.

I do not know the answer to your original question. I personally think using the above suggestions with the system you currently are working to secure would be an option to consider.

Even if the customer does not want, or can not get a credit card that utilizes "one time transaction numbers" the fact you take the time to explain it to them should be a little reassuring to them..I know it would for me!

Here are a few more links to info on one time cc numbers:

American Express offers disposable credit card numbers for online shopping
Frequently asked questions about American Express Private Payments System
The O-Card

if you don't already know how ..

to do this then you're not qualified for the job. Sorry, but that's the truth.

what we use...

[twofeet3]

I recommend hawk-i (www.hawk-i.com) for this sort of project. It is internet billing software for small to mid-sized Internet service providers. It has a great web admin service and customers can view account history, pay bills, and manage their accounts via the web interface...
I am sure that you are looking for something similar to this product...
We have been using it almost 4 years now and we couldn't ask for better support and service...
Just my opinion though.

The only responsible thing to do ...

... is to steal as many CC #'s as possible, advance all the cash you can, and make a run for the happiest place on earth ...

TIJUANA!!!!!!!

Not a job for amateurs

[fishbowl]

That goes for your boss as well, and anyone else up the corporate chain who has allowed this situation to develop. Amateurs, however well-intentioned, should not be given the responsibility of developing financial and accounting systems or policies.

That said, I must also point something out from the customer's standpoint. There is no possible way that I, the consumer, will accept any term of purchase of any product, that involves the vendor making a monthly charge on my credit card, writing a monthly check on my behalf, or "automatically" withdrawing money from my bank account.

If a merchant is not capable of sending me a bill each month, the customary method of soliciting payment, he is not worthy of my business. Furthermore, if he demands such an arrangement as a means of automatically making my bill payment on my behalf, he has already made a serious social blunder that cost my business from the first word: it is tantamount to accusing me of being a thief, and at the very least has indicated to me that the merchant already considers me irresponsible before our relationship has even been established.

I will do no business with such a cretin. End of story.

There is a solution...

[nologin]

Use something else than Surepay. If it can't do what you need it to do, don't think you can easily throw a band-aid on to fix the whole thing.

While I can't be specific, I have had the fortune (or misfortune) of working with an e-commerce company. We had a golden rule w/ respect to storing credit card numbers. If you have a system to store credit card numbers in order to be able to reproduce them at a later date which uses a public info system (such as a website, etc.) the credit card numbers are vulnerable to someone stealing them.

Trust me. You'll never find a sure way of keeping that credit card number secure. You can say "I'll use encryption, store them (credit card numbers) on a secure server, blah blah blah". They won't be.

And I probably would trust a full end to end solution either. I just wish I can see the look on the face of a salesman who tries pitching his secure product when it's credit card numbers end up showing up in a Google search results page...

convenience vs. risk

[npkatz]

Buy.com, Ebay and (I think) Amazon let you recall card numbers you used before and use them on new orders. So they keep your old card around. I suggest heavy 2-way encryption with the key very well protected. The question is whether the card numbers are exposed, that is, if one of their employees or business partners can get to the data, is it readable or easily decryptable. If not, I say, you've done your job. I used to like knowing that companies that collect my credit card for payment don't keep it around. So the inconvenience of having to enter it again was OK given the security of their back end. However, having designed e-commerce systems myself, I realized that the lack of the recall feature has absolutely no bearing on the security of my credit card info. So I decided, screw it. Once you've used your card on a site to pay for something, you're vulnerable, at least to the dishonest employees of the vendor or his ISP. Now that I've settled, I really enjoy the convenience of being able to recall my card without having to type it in again. I would design every e-commerce system to have this feature if my clients decided it was right for their business. Norm

learn from Visa best practices

[new+death+barbie]

Here's what Visa recommends to merchants:

Internet [firewall] web server [firewall] app server [firewall] database server

...and the database must be encrypted.

Check out a company called Protegrity; they offer drop-in encryption for many vendor's databases.

Dont' do it

Really, you don't want to store credit card numbers. There are a number of services which will handle recurring transactions. Use one of those. They spend all day long dealing with credit card control issues. Let them worry about it. If your client thinks their decision about payment processor is locked in stone asked them how they expect to cover the liability of haveing all of their cusomter's cc numbers on hand. (Ask yourself about the liablility of creating such a system.)
Really, let the people whose job (and liability) it is to worry about the security. Your client's expertise is not this sort of security (and even if yours is) how can they expect to maintain this systems security when you've moved on?

The experience is the hard part?

[wdr1]

Giving customer's the service they expect isn't the hard part. Any software engineer who knows Perl, Java, or C++ should be able to implement it without much difficulty. If you think that is the hard part please do not work in e-commerce.

The hard part, the meat of the problem, is securing the data. And it's a problem who's difficult is often underestimated.

I'm assuming that all data is submitted ONLY via 'POST' (i.e. not 'GET'), and via SSL. If this is not the case, see the above comment on working e-commerce.

I had to design a system like this for the e-commerce company I used to work for. Assuming we where hacked and how, the goal was to minimize the impact it would have. E.g. if the hacker got access to our entire source tree, our database, had a network sniffer, etc. how would we stand under various scenarios. Additionally, we made as few assumptions as possible (e.g. the hacker could have access to our source code, the public key, our db, network sniffing, but did not have access to private the key).

If you're past that, some advice:

1) Place all your secure data on a separate server. Minimize the data present on that machine. This will decrease the likelihood of someone needing or asking to get access to data that will additionally expose the secure data. Additionally the server should be as stripped down as possible, as any secure server should be.

2) Setup your network with an additional zone. The server mentioned above should go in this zone. The new zone will be strictly controlled and only used for holding the server upon which the secure data will reside. This zone should be strictly controlled with it's own router. Everything disallowed and only one or two things (ssh and https) should be opened. Ideally, if your main webserver (probably the most likely spot for a penetration) you'll want to know if this part of the network has been breached as well.

3) Do not write the secure data to disk (e.g. in log files or in debugging information dump files). Do not pass the data over the network in any insecure manner. This seems obvious, but a lot of people fail to understand the entire environment, and can inadvertently weak their system's security due to this. For example, many people using a servlet container like Resin configure the session data to replicate to another server. While this is a great thing, and reduces the problems of losing any single server, the secure data can be transmitted across the local network in clear text while being replicated. Not good.

4) The web servers will most likely need to make a secure connection to secure box. This sounds bad at first, but there isn't a better away around it. Ultimately the data has to get from point A to point B. Writing it to disk for batch accumulation is not good (as stated above). Building up a queue and batch submitting jobs to the server doesn't really offer anything over individual submissions. Additionally it increases the detriment of a server crashing before the batch job has been submitted. In some cases this might also be less ideal as the business needs may call for pre-auths to take place as soon as possible, or otherwise sending the order to a distribution center as quickly as possible.

5) It's obvious to state you should encrypt the data before writing to the database. The part most people miss is HOW to encrypt. Just using a public/private key isn?t enough. Even worse, most folks will miss judge the strength of their system by gauging how long it would take to crack the key being used. While cracking the key is most likely what you would want to do to read the secret message from Alice to Bob, it?s not what someone is going to do to get your credit card numbers.

If someone wants to get your list of credit cards, it's easier to brute force the number. The average non-amex card is 16 digits. Assume you've gotten the entire database; you'll have a few hundred thousand numbers easy. Assume you're not a greedy hacker and would be happy with say only a hundred thousand numbers. Then the first four digits really aren't random as they often represent the network and bank. (Ever notice that your buddy?s Visa card also begins with a 4? Or that everyone?s Discover card is 6011?) That reduces the complexity by four orders of magnitude. Often the last four digits are show plain text to the customer. That leaves only 10^8 combinations to try. Additionally a clever hacker would do a quick mod-10 check before a more expensive encrypt-and-check call, so that's really not that long.

So what to do?

Using a one-way method isn't an option. We need to be able to get the original credit card number back. Not just because of the case cited above, but that's just a real-world need. You cannot legally charge the customer until an item has shipped. If you can't ship right away (i.e. Backorders), you're going to have to hang on to that number and use it to charge the card latter. If you have to break the order into multiple shipments, same thing.

What we is an asymmetric encryption algorithm. One that will generate a different ciphertext each time the cleartext in encrypted. There are a lot of ways to do this, some encryption even provide for it. If not, simply append a delimiter and a random number to the cleartext and encrypt it. (E.g. instead of encrypting '4111-1111-1111-1111' encrypt '4111-1111-1111-1111*4873924839432432432'.) If you have the private key, it is easy to discard the random text. If you do not have the private key, this makes it difficult to brute force the number.

6) Backup should be done separately, to separate tapes, on a separate drive connected directly to the machine. The tapes should be treated as access to the machine would be.

7) Tripwire the private key. In case of a breach, you'll need to know if this file has been accessed.

8) Use stored procedures to restrict access to the secure data. I love m(y)?sql, but this where Oracle and SQL Server's stored procedures are really nice. Basically the account through which data is being accessed by the applications should not be able to select, update, delete, or insert. Instead offer a stored procedure API to do what is MINIMALLY needed. Generally it's best to offer a minimal, but complete API. That's not the case here. Offer only what's need (e.g. do not provide an interface for updating a card number if that?s not needed, etc.)

9) Chargebacks and coupon abuse are going to be a pain in the ass. The draw back of the above method is that you cannot easily find an account by credit card number. And, in the real world, sometimes you do have to do it. Often credit card numbers are used to enforce one-per-customer offers. And for good reason -- it's probably the most effective way to do it. However, the cost (insecure data) is too high for the overall business. Slashdot bashing of Marketing be what it may, but if you can explain this to one of the higher ups in the group in an understandable way, as well as work with them to come together with a different solution, they will usually be open to it. Nobody, especially in Marketing, wants to come in one morning, and read on my.yahoo.com that their company?s credit card numbers have been stolen.

Chargebacks have one advantage over credit card abuse: they are not done one the customer?s dime (i.e. nobody is sitting there waiting for a page to load). Most likely it will be possible to queue them together, and use the first and last four digits to limit the sets of rows to be examined, and then simply start decrypting and comparing. None of the intermediate results, obviously, should be shown. This should ONLY allow to get the customer name, etc. from a valid credit card number. That normal caveats of web development apply here as well, despite it being an internal application.

10) Work with your Operations team to test the system. If you breach the zone, are there traces? If you scp off the private key, was that correctly detected as well. Remember the old scare stories of people who never tested their backup system until they needed them, only to find out they didn?t work. Make sure everything here is working as expected.

Anyway, that's all about I can bear to write for now. Hope that helps someone.

-Bill

Best security

Store all of the credit info on a stand-alone PC with a CD burner, and sneeker-net the info to a networked PC once a month. Write an app that will not store the info anywhere off of the CD, and will encrypt the info as soon as it reads it. Remove the CD as soon as the billing procedure is finished, and make sure it is destroyed by the Controller.

This will work fine as long as you are taking credit numbers over the phone. If you need to have the information available online, God help you.

Here's how I do it.

[duffbeer703]

First you have to get OpenBSD, since Theo and Slashdot says it is the most secure.

Then I store the private information in a text file that is linked from the front page of my website. I publish personal information under the GPL so that nobody can modify it.

Information wants to be free. There is no reason to hide information!

The Real World

[diogenes57]

I have heard some great suggestions for those that can host their own site/app/db on multiple firewalled boxes. What about when you are in charge of everthing, including security, for a small site that can't afford to hire a consultant, let alone additional staff?
The owner thinks everything is fine because he pays for a security certificate and everyone sees a lock at the bottom of the screen. But that just fools consumers into an unmerited sense of security because at the back-end, plaintext cc #s are sent by a form-to-email CGI.
Is it the admin's responsibility to fix what the boss is unwilling to pay for? Or should you do the best you can with the resources available to you on your own time?
I know this is not an ideal work situation, but it's one that exists in the real world. If you're an amateur, but you're the only amateur they've got, shouldn't you at least try your best to do things right?

Re:The Real World

[spudnic]

I've been in this situation several times and have been fairly successful. The circumstances are truely less than ideal, but this isn't an ideal world. The posts saying, "Pay a security consultant $20,000 to offer advice and test the system, hire high-priced lawyers to cya, etc." really don't help when the entire project budget is $10,000, including hardware. I'd guess that most of the people saying this are idealistic students/new workers that don't understand the real world, or $20,000 security consultants and high-priced lawyers who are trying to sell something.

But that just fools consumers into an unmerited sense of security because at the back-end, plaintext cc #s are sent by a form-to-email CGI.

You should be able to easily set up a system to PGP encrypt the data before it is emailed to the client. Decryption on the client's end is fairly painless, especially assuming they are on a Windows box and have a PGP plugin available for their mail program. If you don't do at least this, you're just being lazy and should be taken out back and beaten.

Is it the admin's responsibility to fix what the boss is unwilling to pay for? Or should you do the best you can with the resources available to you on your own time?

It's your job to do the best job you can given the resources that are available to you. If you find the job interesting (as I do) and commit some of your personal time for reaserch, etc., all the better. Your current boss wins by getting a better system, and you win even more by expanding your experience, thus becoming more valuable in the present and future jobs.

The absolute most important point in a situation like this is to be totally honest with your boss. Don't wait for him to ask you something. Go sit in his office and explain to him in language he can understand the potential problems and what you are attempting to do to protect the system while remaining within your budget, and what the next few steps you would take if granted more money would be.

The last thing you want is for the boss to be totally surprised if something does go wrong. He needs to know that there are definate risks and that your site WILL have attempted crack attempts no matter how small it is. Never tell anyone that a system is entirely secure. There's no such thing.

Tips

[Joe+U]

Everything must be encrypted. That's the first step. From SSL, to the connection between your Web and DB Server.

Once it's on there, make sure the data is encrypted inside the DB as well. Make the keys available to the CC processing program, and define security so that the only interface that has read access to the credit card data is the CC processing program.

That way the keys are not on the web server and if you do it right, compiled and hashed up inside your processing program.

For the very paranoid, part of the key should be entered in at runtime along with a password.

Passwords should only be given out to the most trusted people in the company.

Provide NO credit-card reading functions outside of the actual processing program. You can provide a search, update and delete, but no ability to read.

Encrypt everything between you and the CC processor, (cybercash, etc...).

Don't leave a trace log with all the info sitting in the root of the drive.

Block as much from the Internet as you can. Add IP restrictions, extra passwords, etc..

Basically, be paranoid.

you have to ask

If you have to ask if such a thing is possible then I seriously doubt that you should be designing and building it.

Good one.

[El+Camino+SS]

Funny. I laughed on that one. You deserve some points for that, unfortunately, I have no points.