Jump to content
  • 0

Question about Credit Card hash storage

drhoo

Asked by drhoo,

 Share

Question

drhoo Junior Member

drhoo

Posted
Posted

As far as I understand in WHMCS, credit card hashes are stored in the config file.

Is there an option not to do this?

 

Saving credit card hashes on the same system is like having your pin numbers in the same wallet as your credit cards.

 

Please clarify this. I was going to move from Clientexect to WHMCS and this one issue is holding me up.

0
Link to comment
Share on other sites

14 answers to this question

Recommended Posts

  • 0
drhoo Junior Member

drhoo

Posted
  • Author
Posted
What about saving to a separate file and folder, outwith public_html

Same principle as the templates_c folder

 

No, that's not good enough. If the server is compromised, you're done for. Hash keys should never have to be stored.

0
Link to comment
Share on other sites
  • 0
everythingweb Member

everythingweb

Posted
Posted

what is your suggestion on how they do this then, drhoo?

 

an honest question, i am interested in how this would be done. if you store the DB on a remote server and that DB gets compromised then that's fine but if the host that accesses the DB and has the hash file gets compromised then you're buggered again. what other way's are there around this?

0
Link to comment
Share on other sites
  • 0
drhoo Junior Member

drhoo

Posted
  • Author
Posted

You encrypt credit cards with key that's never stored anywhere. You have to remember it or store it in your office. Every time you need to process credit cards you need to enter the key.

 

If anyone gets hold of your db, at least they need to do a bit of work to crack your key. Having to store the hash key on the same system is a big mistake.

0
Link to comment
Share on other sites
  • 0
jclarke Senior Member

jclarke

Posted
Posted

I would recommend not using the built in credit card storage at all and store all of your customers data with a tokenized vault. That way you can still do automated recurring payments and your customers credit card information is safe.

 

WHMCS supports a few of these already and has scripts to convert your currently saved credit card data.

0
Link to comment
Share on other sites
  • 0
drhoo Junior Member

drhoo

Posted
  • Author
Posted
How do you expect to encrypt the credit cards in the first place without the hash? I suppose you could just store them as plain text until you can be bothered to login and enter the CC encryption hash.. right?

 

You encrypt them with the same private key. The idea is very simple and has been in use for many years.

0
Link to comment
Share on other sites
  • 0
everythingweb Member

everythingweb

Posted
Posted
How do you expect to encrypt the credit cards in the first place without the hash? I suppose you could just store them as plain text until you can be bothered to login and enter the CC encryption hash.. right?

 

Unfortunately automation is the issue and people signing up at random times during the month I'm sure WHMCS has charges going off almost every day - this will be an admin nightmare.

 

The safest bet is probably to either have Paypal subscriptions as the only auto-bill option and then require a manual payment from each WHMCS client if they do not use Paypal (or any other payment providers who offer a similar subscription system where they store the CC's themselves).

 

Unless you are a financial institution it's never wise to store CC details in my opinion

0
Link to comment
Share on other sites
  • 0
easyhosting Senior Member

easyhosting

Posted
Posted (edited)

maybe using a passphrase like CE

 

Credit card information is encrypted within ClientExec once a customer enters their credit card information. ClientExec requires that you further encrypt this credit card information by adding a string word, called a passphrase, that is not stored anywhere on the server or database.

 

Each time a customer enters their credit card number, you must "validate" the number using a passphrase. The credit card number is encrypted using the passphrase and can not be decrypted unless the passphrase is provided. The first time you "validate" a credit card your passphrase is set.

 

Warning: The passphrase can not be retrieved if forgotten, you will be able to recreate a passphrase but all credit cards will have to be reentered.

 

When processing credit card based invoices you will require this passphrase.

Edited by easyhosting
typo
0
Link to comment
Share on other sites
  • 0
Y3K-Daniel Junior Member

Y3K-Daniel

Posted
Posted (edited)
Out of interest, if it's any help, we use ioncube to encrypt the config file, which contains the hash (and all other details)

 

WHMCS seems to still run sweet - I know not the perfect solution but...

You do realise ioncube encoded files can easily be decoded, right? Would take only a couple of minutes to decode something as small as the config file.

 

Or if you know the variable names stored inside (easily found for WHMCS config), you just include the encoded file in a php script and print out all the variables you want.

Edited by Y3K-Daniel
0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept