Storing Credit card numbers

qedao · Sep 18th, 2011, 6:30 PM

Hello:

I read the documentation and search the forums, but could not find anything about storing credit cards.

I guess there must be a simple way to avoid having the credit card numbers stored as plain strings in the database?

Thanks everyone

***Ben*** · Sep 19th, 2011, 12:25 PM

Actually, I'm afraid not! Right now, there's no encryption done on any fields except Form Tools user account password fields.

Generally it's never a good idea to store credit card information. I know that sometimes it's a necessity, but I'd avoid it if you can.

Quick explanation about why encryption hasn't been added yet.

The thing is, if you were to store credit card info, you'd need to use what's called "two-way encryption", unlike password encryption which is one-way. One way is far more secure than two-way.

To explain: when you log in, you always type in your password. To confirm that that password is valid, the system encrypts the supplied password and compares it with the encrypted value stored in the database. This way, the saved, encrypted password is never actually decrypted - and in fact, it can't be: that's the purpose of 1-way encryption.

But if you ever need to encrypt other information (like credit cards), it means you want to re-use it later on, which means it'll have to be decrypted later on. Two-way encryption is so limited from a security point of view, it never struck me as worth it... if someone were to get access to your database, they could easily find out the encryption method and decrypt it themselves.

So that's why I haven't bothered adding this feature yet. That said, it would be a relatively easy module to put together, I suppose...

Sorry I couldn't be any help.

- Ben

qedao · Sep 19th, 2011, 5:58 PM

Ben,

Thanks for the answer.

Unfortunately for us is mandatory to store the CC info.

So i guess I will have to code that two-way encryption.

Where would you recommend to put the code that will alter the values before they are stored in the database?

Thanks!

***Ben*** · Sep 19th, 2011, 8:18 PM

Check out the Submission Pre-Parser module. That lets you execute arbitrary code on the form submission data after it's inserted / updated.
http://modules.formtools.org/submission_pre_parser/

Good luck!

- Ben

qedao · Sep 19th, 2011, 11:06 PM

This is precisely what i needed, I don't know how I overlooked it when I browse the list of available modes.

Again thank you!

***Ben*** · Sep 20th, 2011, 9:23 AM

No worries - good luck getting it all configured.

- Ben

bgarlock · Mar 1st, 2012, 6:32 AM

Would it be possible to show an example of how you would use this to store encrypted data in a textarea field?

***Ben*** · Mar 1st, 2012, 10:06 PM

Hi bgarlock,

This morning I caught your post and thought I'd rustle up a quick fix. 8 hours later I finally have a solution. Yowch!

Turns out I need to release a Core + Hooks Manager update to allow for this to work properly. I'll release the Hooks Manager 1.1.3 tomorrow, and Core 2.2.2 early next week. Once that's done, I'll put together a tutorial explaining how to do it. It's not the most elegant thing in the world (it really lends itself to a module), but it seems to work pretty well.

If you don't hear back from me after 2.2.2 is released, let me know.

- Ben

bgarlock · Mar 2nd, 2012, 6:55 AM

Wow! Thanks so much for this, Ben :-) I'll give it a whirl..

bill09 · Mar 26th, 2012, 12:51 PM

Hi Ben,

Did you get a chance to create the tutorial mentioned in post #8? This will be very useful!

Thanks!

Bill

FORUMS