InnoDB?
Nifty Hat Mitch
mitch48 at sbcglobal.net
Sat Oct 16 15:57:47 UTC 2004
> Thank you for the reply. I understand the reasoning behind your
> response. My company and I were thinking about storing the numbers
> permanently but I guess that will not be a good idea. There is a
> firewall being deployed also. However, I do see the point.
>
> >Can I safely store multiple customer credit card numbers in a table
> that is InnoDB, if I use an Encrypt()
....
> No. The Encrypt function is too weak. AES_Encrypt/AES_Decrypt or
> DES_Encrypt/DES_Decrypt are stronger. However I would strongly recommend
> that credit card numbers not be permanently stored in the table.
One way to think about storing multiple customer credit card numbers
is to consider them as a liability or perhaps toxic waste. An
individual like me may be off the hook with my credit card company if
my account number is stolen once. However your company may not be off
the hook if thousands of account numbers are released to an
international crime group should you be hacked or a trusted employee
turn bad.
Such data also needs 'meta' data associated with it. Invoice number,
customer ID, Date/Time, paid/pending, timer for return policy and so on.
There are also some accounting standards that must be adhered to.
Any encryption will have a key. Some design process needs to exist to
re-encrypt the data should you find that the key is at risk or discover
that the algorithm is hackable. Then there is the issue of
backups....
--
T o m M i t c h e l l
May your cup runneth over with goodness and mercy
and may your buffers never overflow.
More information about the fedora-list
mailing list