views:

85

answers:

3

Let me preface this by saying I know nothing about encryption. I understand the basic concept of public key / private key encryption but I don't how easily it can be broken, if at all. If one were to believe the movies, encrypted data can be broken by a teenager with a decent computer in a few hours.

I have a client who wants credit card information sent via email - encrypted of course, but I'm still not feeling terribly good about the idea. I feel it would be safer to store the info on the VPS, but even then its an unmanaged server and there's nobody watching it who knows much about security.

So can anyone tell me if there's a safe way to store and/or send this data out?

Thanks

A: 

Security is relative. It depends how long it needs to be secure and who your adversary is. In practical terms, PGP encryption should be enough if you have to use email. See the EnigMail guide.

You need to be careful not to store the data unencrypted anywhere along the chain. Also, I don't know if this complies with the payment processing rules.

Matthew Flaschen
+2  A: 

This question and its responses should give you a good idea. Bottom line: it's people leaving the keys on the counter that's the weak link in most encryption systems.

Bob Kaufman
+6  A: 

It's not practical to break a decent encryption scheme. It is much more likely that someone will get a copy of the keys. Public key has the advantage that the decryption key doesn't have to be on the server at all... can't compromise it at that end if it is never there.

However... this is credit card data. There are legally enforceable standards for how you should handle that data, so you really better look up what they say. The standards mandate certain kinds of encryption, as well as various other security practices.

Andrew McGregor
+1 crypto usually isn't the problem.
Rook