Passwords and Credit Cards in the Database

[eluser]craig.hoog[/eluser]
Looking to pick brains a bit more here.
I'm working on a commerce site where we want to store credit cards and passwords in the database (obviously contact information, etc also).

Is this feasible:

a) MD5 the passwords with a dynamic salt based on what they enter
If they enter the password "dog" we could encrypt that with "god" as the encryption phrase.
Is there an issue with that logic?

b) Store the credit cards in an entirely different database. Store the last 4 digits and the expiry date separate and only merge them during the checkout function / payment transaction.

Is there something else I should consider for storing the credit cards?

Thanks!

[eluser]Stefan Hueg[/eluser]
Question a: That's okay.
Question b: This one is tough. I don't know from which country you come from but in Germany you need a specific certificate to be allowed to store credit card information in your own database.

If thats not a concern, you may secure these data as much as possible!

[eluser]craig.hoog[/eluser]
Interesting. I've never heard of that. I'm from Canada, and I don't think we have that issue.
The site will only retail to Canadians and I've never run into that in the past.

I just don't know the best method of storing them in the database?
Use an encryption/decryption method in a separate database and try to disconnect them as much as possible?
Is there a best practice beyond that?

C

[eluser]Stefan Hueg[/eluser]
I don't have any experience with that topic (as its just not allowed) but you should definitely encrypt them. You could serialize() them first, then encrypt it and store it as a single TEXT field in your database.

Also make sure that all the communication between all parties is secured (DB to PHP, PHP to Browser), SSL and stuff like that.

Don't store those information in a cookie or cache them in any way. The database server containing your server should even be physically separate, allowing DB connections only from your Web Server.

You should definitely check if there are some restrictions / certificates you need.

[eluser]craig.hoog[/eluser]
It appears you are correct. The technical documentation is a disaster, but it reads that if I want to store credit cards I have to have an audit and be PCI compliant.

Maybe we will just re-think the whole process.

[eluser]Stefan Hueg[/eluser]
Okay so you also need a PCI certificate. It seems to be a global standard.

I've been told that such a certificate cost about 20.000 EUR per year and is not easy to obtain.

My advice: Use an external payment provider. We once had used Ogone and the integration was fair and good documented.

[eluser]craig.hoog[/eluser]
Oh yeah, I've used loads of payment providers before and that's not an issue.
We just wanted to do it internally this time with a payment provider and a locally stored copy of information we could re-send to the payment processor each time.

No problem at all, just a slight adjustment.

[eluser]Stefan Hueg[/eluser]
Could you share your experience with payment providers with me as this is always an upcoming question, which one to choose?