I program retail software and we are required to follow PCI compliance rules. These rules, now much more public since the TJ Maxx incident, state that no clear text format of the credit card number can be stored in any file. For auditing purposes or to verify a purchase on a card we use RSA 1024 to encrypt the credit card number and store it in a transaction file. The only way to get that number is to have the key to decrypt. Other methods include doing a 1 way hash on the card number, or simply masking the card data. Another way to store the data is within a binary file that uses some sort of hashing algorithm to store the data. We call these keyed files. They can't be opened and read, you would need our algorithm to locate the data and properly read it. These simple steps are enough to deter credit card thieves. It would be too much of a hassle to try and figure out the numbers. I think any business that deals with sensitive information such as credit card data should be encrypting that data. It should not be easily accessed. I think its up to the businesses to make transactions secure for their customers.
In response to your comment, there are definitely times that the retailer needs that number to verify a purchase with a credit card company and public key encryption is the way to go. That way the number cant be seen by those who don't have reason to be seeing it, but available through decryption if need be. In the slim case that we cant decrypt, the 1 way hash is a backup. A hash will always be the same for a card number, but you cant de-hash the number.
I completely agree with your opinion on learning the fundamentals with C. I graduated with my bachelors about a year and a half ago and have been working as a programmer since. My school taught the basics, but only the very basic fundamentals. I really learned how to program on the job. The job entailed programming in ANSI C for 16 Bit DOS/OS2 Warp and 32 Bit Windows environments. On top of that, the environment we develop in is completely custom. The build scripts (batch files), editor scripts (vim), and all the configurations are custom. This was great for learning, but proved to be very time consuming. As my company has moved away from having to develop for DOS/OS2 Warp and is now strictly Windows I am enjoying not worrying about memory management issues so much (great memory overloading learning experiences). I don't know much about.Net yet, but from my experience thus far in multi platform development is Java is portable, C/C++ portable and.Net is not (yet). However I have seen C#.Net 1.1 framework running in a Linux environment (when not compiled to any windows DLL's of course), but not 2.0. Back to topic, beginners should pick up K&R C, read it, do the lessons, then move on to a series of books called "Write Great Code" by Randall Hyde.
Slashdot Mirror
I program retail software and we are required to follow PCI compliance rules. These rules, now much more public since the TJ Maxx incident, state that no clear text format of the credit card number can be stored in any file. For auditing purposes or to verify a purchase on a card we use RSA 1024 to encrypt the credit card number and store it in a transaction file. The only way to get that number is to have the key to decrypt. Other methods include doing a 1 way hash on the card number, or simply masking the card data. Another way to store the data is within a binary file that uses some sort of hashing algorithm to store the data. We call these keyed files. They can't be opened and read, you would need our algorithm to locate the data and properly read it. These simple steps are enough to deter credit card thieves. It would be too much of a hassle to try and figure out the numbers. I think any business that deals with sensitive information such as credit card data should be encrypting that data. It should not be easily accessed. I think its up to the businesses to make transactions secure for their customers.
In response to your comment, there are definitely times that the retailer needs that number to verify a purchase with a credit card company and public key encryption is the way to go. That way the number cant be seen by those who don't have reason to be seeing it, but available through decryption if need be. In the slim case that we cant decrypt, the 1 way hash is a backup. A hash will always be the same for a card number, but you cant de-hash the number.
I completely agree with your opinion on learning the fundamentals with C. I graduated with my bachelors about a year and a half ago and have been working as a programmer since. My school taught the basics, but only the very basic fundamentals. I really learned how to program on the job. The job entailed programming in ANSI C for 16 Bit DOS/OS2 Warp and 32 Bit Windows environments. On top of that, the environment we develop in is completely custom. The build scripts (batch files), editor scripts (vim), and all the configurations are custom. This was great for learning, but proved to be very time consuming. As my company has moved away from having to develop for DOS/OS2 Warp and is now strictly Windows I am enjoying not worrying about memory management issues so much (great memory overloading learning experiences). I don't know much about .Net yet, but from my experience thus far in multi platform development is Java is portable, C/C++ portable and .Net is not (yet). However I have seen C# .Net 1.1 framework running in a Linux environment (when not compiled to any windows DLL's of course), but not 2.0. Back to topic, beginners should pick up K&R C, read it, do the lessons, then move on to a series of books called "Write Great Code" by Randall Hyde.