Im trying to design a payments API, and it requires the sending of CC info over the wire. So for this I was thinking of using a public key to encrypt the CC info and decrypt it on the server. Keep in mind that the connection is https also. Any suggestions on the topic?
+2
A:
If the connection is https encrypting it a second time won't do any good, except if someone breaks SSL/TLS. In that case trust me your API will be the least of the world's problems..
Andreas Bonini
2009-11-29 06:47:58
hmm makes sense to me. I thought someone could still sniff the traffic though, guess Im wrong. Thanks!
Faisal Abid
2009-11-29 06:51:55
A:
In contrast to the earlier answers I would strongly suggest you read up on PCI-DSS. Basically you want to keep the card number encrypted until it is absolutely needed in plain text, such as when authorizing or settling. Its not clear what exactly your api calls will do, but at a guess you almost certainly don't want the card number to appear in plain text as soon as it hits your webservice.
In addition if you have a client side component that captures card details, then that will fall under the scrutiny of PA-DSS.
PaulG
2009-11-29 11:10:08