Ask HN: Storing Credit Card Numbers
Given that, how would you do it?
It seems to me, that any crypto magic you may perform on your data, before storing it into your database, is coded right there for any attacker with access to your source files. If they have access to your database, I assume they also can access your source files.
So, does everybody ignore that fact? Or do they use compiled code that they were careful to remove the source after they compiled it?
I'm envisioning a c program that uses variables like private ip address, ip address, etc, as encryption keys, or just as gates to keep the program from working. Compile it, remove the source code, and bask in the knowledge that even if your harddrive is cloned, it still won't work when they run it on their system.
Is there a better way?
14 comments
[ 2.9 ms ] story [ 45.7 ms ] threadDatabases are commonly compromised by SQL injection attacks that reveal the contents of the database. Some databases, MySQL for example, have functions that allow the database to display the contents of files off the filesystem. But on the whole, if someone has gained access to your database it does not immediately follow that they have access to your code. Only that you need to tighten up on security.
An alternative to hashes, but somewhat more expensive computationally, would be to encrypt the CC number into the database using the public key of a Public/Private encryption scheme (PGP for example). So even if they got hold of your database and the public key they could still not, realistically, decode the CC number. Providing the private key is held securely on another server!
It all comes down to what you need to do with the CC numbers. Long ago I worked on some software to track CC fraud for a major store (was a CC number used in store A also being used in store B, it was likely that the card had been cloned as most customers only shopped at their local branch), we used hashes of the numbers. We didn't even need to know who the customer was, everything was driven by electronic till receipts and hashed CC number.
Do you need the actual CC numbers or would a hash be equally as usable?
Most server compromises that I've seen have stayed local to the server - I'm not a security pro; but generally I've seen the server that got knocked over get messed around with, anything on that server was fair game.
Beyond that, I'm sure there are other things you should do to protect the database that contains the credit card numbers; but seriously - keep them off your web server.
I also had the idea of some dummy security trigger database entries, so if somebody actually camps out on my server, using my own webservice to decrypt the database, eventually they hit one of my trigger entries, and my webserver reboots and my cell phone starts ringing.
PCI DSS Standard: https://www.pcisecuritystandards.org/security_standards/pci_...
More info on Wikipedia: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Secu...
Don't let the number even touch the disk!
It's not just the credit card numbers that are valuable -- it's the combination of credit card number + billing address that are generally required to make a purchase. 30 bit enumeration can require just a few minutes (or even seconds) on modern CPUs and GPUs. So, if you do store them this way, fluff them front and back with random data that you ignore when decoding.
What would I do? Make sure the user has a password (Use HMAC/bcrypt to verify password; DO NOT STORE PASSWORD!); When the user logs in, derive key from password using a different HMAC with different salt, and store in memory/session vars only for as long as needed. Use that key to encrypt the credit card number with a symmetric cipher, e.g. AES; make sure to purge these keys from memory/session directory early and often.
Advantage: You don't have access to the credit card on record even if you (or a rogue employee) wants to. Active participation from user _required_ to get access to data. If your server is hacked, only credit cards used while a hacker has complete view of traffic are compromised, and not all data stored.
Even better: offload to payment processor and make it their problem.
Really.
Here's the problem.
I don't like taking more information than is needed from people. I don't intend to take CVN numbers, and I don't intend to take Street addresses. You don't need them. All you need is a zip code for verification. I know people that run telephone chat lines. They only take zip codes, because people are typing everything into their telephones. No letters allowed.
Also, you'll note that 37 signals only takes a zip code. No CVN, no street address.
So, I log into my Authorize.net account, go to the virtual terminal, enter a transaction with only zip code verification. It works. No problem.
I go to their CIM panel, try to enter the same information. They tell me I need street address. Authorize.net tech support is extremely unhelpful, telling me to talk to Visa, ignoring that they allowed the exact same transaction through another area of their site.
So, I'm paying $25 a month for CIM, for the privelege of being forced to make my users life unnecessarily complicated. I have a problem with that.
If I can safely store those numbers without CIM, I intend to do so.
And just remember, that by storing those numbers locally, you're also taking potential liability for things that go wrong. To assess how much that is in cash, call a few insurance companies and ask them to give you a quote. Assume they have 25% markup on the real cost; That's how much you are "paying", although you are not doing it out-of-pocket (Though, in a catastrophic event, you _will_ be paying a lot)