Skip to main content
A
Anonymous
February 13, 2009
Question

Encrypt and Decrypt

  • February 13, 2009
  • 2 replies
  • 636 views
Hoping someone can help, I have a site that excepts credit cards. The site takes a credit card submitted through a form. I have coldfusion then encrypt it as follows

enc_key is set in the application.cfm file.

<cfset number = Encrypt(card_number, enc_key)>

This is stored in the DB.

I then have an admin area that will allow me to view orders and their creditcard so that I can process them at the store level. I use the following to display the card.

#Decrypt(blCard_Number, enc_key)#

What happens is weird, only the first half of the credit card gets decrypted. Does anyone have any ideas.
    This topic has been closed for replies.

    2 replies

    J
    JPfeff
    Known Participant
    February 14, 2009
    You are storing cc information in the database? Bad, bad idea. Seriously, don't do it. It's clear from this you don't understand how to do this properly and the necessary security requirements (the default encrypt function in cf for instance is nowhere near good enough and encrypting the string is only a small part of what you are required to do). Please go read up on pci compliance and what is required to save credit card data - most people once they see the level of protection and thus cost involved decide it's not worth it. And if you do store it anyway, make sure you have liability insurance to deal with the ensuing lawsuits when the data gets stolen.

    A
    Anonymous
    February 14, 2009
    Wow. Dude seriously do not store that info. Are you using ssl when they are sending through their credit card numbers? Not a good idea this, rather process the credit card payment on the fly or use something like paypal or the equivalent.

    People are very touchy about there cc info for a reason.

    I am running an online hotel accommodation search engine and we allow credit card payment and i DO NOT save credit card info.

    What JPfeff is saying is completely true. CF's default encryption is not strong enough for storing credit card info. You're just asking for trouble, rather process them straight away and use ssl to receive the cc numbers and then forward them on to paypal or woteva (always using secure methods of transmission).

    Matt Gifford
    Matt Gifford
    Participating Frequently
    February 13, 2009
    How long is the encrypted string? How many characters are you storing in the database table for this column?
    A
    Anonymous
    February 13, 2009
    It is being stored in a MySQL DB of type mediumtext
    A
    Anonymous
    February 13, 2009
    The other thing that I have noticed is this seems to be random, some strings get decrypted and some don't.

    Here are two that work fine they are 23 in length:
    0+OG$^ ,=D-<L@_JFJ".L+0
    0+OC(_0 >E]4LA_^HKRNM*0

    These are not working they are 22 in length
    0+_[-^P <E]J@_ZNKRVO+P
    0+_G%_0 8DMJBOBOJ"JI*@
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices