Best way to encrypt/decrypt and store credit cards

[BenRussell]

I am trying to figure out the best encryption/decryption algorithm to use when storing client's credit card numbers (for a website).

I will store the numbers in a MySQL database, but was wondering what algorithm to use. Could anybody give any suggestions?

- Ben

 

[theoxyde]

I am currently storing private data using the Advanced Encryption Standard (AES). AES is a Rijndael block-cipher algorithm that uses a 256-bit key and 128-bit block size.

Storing the keys, however, is a touchy subject and there are more than a few schools of thought (and probably a few religions) on that topic.

 

[jrbarnett]

Personally, my approach if feasible would be to process the transaction immediately, then store perhaps only the first 4 characters of the number, which can be printed on a statement with the rest asterisked out.
That way, the security risk of somebody breaking into the server and gaining access to card details is minimal.

John

 

[BenRussell]

Is AES available in Perl (through a module or some other way)?

Also, is AES DEcryptable (for retrieving the numbers)?

- Ben

 

[BenRussell]

Also is AES even more secure than MD5 (I know MD5 is not reversible, but I was just wondering)?

- Ben

 

[theoxyde]

AES has replaced DES has the de-facto encryption standard. AES is symmetrical ("reversible" as you say) and uses the same key to encrypt and decrypt.

I don't know if there is an existing Perl implementation, but there is a C# implementation that you may be able to translate to Perl at

http://msdn.microsoft.com/msdnmag/issues/03/11/AES/default.aspx

AES, in it's 256-bit implementation, is arguably the strongest symmetrical encryption available (Aside from 512-bit AES, of course -- which is probably overkill).