I’m working on a very small form that accepts credit card numbers, which will be cleaned out shortly thereafter. For the time they exist in the database, I’d like them to exist in a comfortable state of encryption. Unfortunately, in my many years of web-development, programming, and database-development, I’ve not once had the opportunity to educate myself in the area of encryption.
Is there are relatively easy-to-implement method of encrypting credit card numbers that I can implement quickly? A set of functions, class, anything at all that will get the job done, and done well? I am taking this opportunity to educate myself on the issue, but due to time-sensitivity, more than just a nudge in the right direction is requested.
Language: PHP / Storage: MySQL
One of the best ways is to simply use MySQL for the encryption / decryption. See these functions:
http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html
However, keep in mind that while this will protect you against people who may find a way to read your database, it will not protect against someone who owns the server. That’s because the decryption key is present on the server.
All in all, it’s a huge boost. True security would come from public key encryption and offline decryption with a secure private key (eg. different server).
As an example:
and
The specific function is documented here:
http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html#function_aes-encrypt
For more information on AES, please see:
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
For maximum security in your environment, I suggest you store the key in a PHP constant. It’s less likely to get divulged at runtime that way (minor detail).