Kryptronic Software Support Forum

m j · 02-14-2004 21:26:34

I'm writing a script to pull orders out of CCP and have the credit cards processed by some other software and I was wondering where in the code I could find the routines for decrypting the credit cards.

Right now I'm using Offline Processing as the payment method.

I've read something about the decryption keys being sent to some email address, and that just isn't going to work for me having like 30-100 orders a day being processed. Is there some other way to access the decryption keys?

Ed_H · 02-15-2004 00:54:45

Check out . Details how to set a single key. It's for 5.0, but also applies to Tiki.

m j · 02-15-2004 01:24:27

I'll try that, I think it should work ok for what I need.

I guess the major security concern is that if the same key is used for encrypting all credit cards then if a hacker found that key he'd have access to decrypting all credit card numbers, where right now with each key being unique for each transaction there is no reference for anyone to use to decrypt those keys unless they have a copy of every single email containing the decrypt keys.

I guess if I wanted to maintain a tight wrap on security for what I'm wanting I could mod the code to allow for key encryption where I'd have an encryption key and decryption key, then store the decryption key on a seperate system so if someone was to gain access to the web server they'd have no reference to the decryption key, and you could make all decryption processes take place on the remote box which would be behind the firewall.

Then you could do key rotation to make things even more fun.

webmaster · 02-25-2004 16:05:30

If you figure out a way to do this, please let me know. I have not seen a valid method for retrieving data encrypted with an unknown key. I'm not saying it's not possible - I'm saying I haven't found a way yet. If you do - I want to know about it, please.

doubledome · 03-06-2006 15:06:19

Hi All,

I found the topic related to making 1 encryption key. I've tested out the code and like the ability to use only one key. I have some questions though.

When I modify the adm_track.pl file any orders completed prior to the mod don't have a link to decrypt and don't show the cc number. If I don't change this file, the orders completed after the fix don't decrypt properly.

Is it possible to still require an admin to input the key to retreive the cc number so both old orders with variable encryption keys can be used, and all orders going forward can be decrypted with the static key?

Thanks in advance,
cab

Big Dave · 03-06-2006 15:58:08

The changes on that page also remove the Cvv code from the admin, and you have no idea what it is :-)

doubledome · 03-08-2006 16:56:26

That's a good point. I didn't even realize it was missing. Since the CVV number is only sent in the encryption email how do you get to all 3 pieces of information? CC#, Expiration Date, and CVV while allowing for only one encryption key?

Thanks for pointing that out.

cab

doubledome · 03-10-2006 16:37:01

Any ideas out there?

Kryptronic Software Support Forum

#1 02-14-2004 21:26:34

Decrypting Credit Card Data

#2 02-15-2004 00:54:45

Re: Decrypting Credit Card Data

#3 02-15-2004 01:24:27

Re: Decrypting Credit Card Data

#4 02-25-2004 16:05:30

Re: Decrypting Credit Card Data

#5 03-06-2006 15:06:19

Re: Decrypting Credit Card Data

#6 03-06-2006 15:58:08

Re: Decrypting Credit Card Data

#7 03-08-2006 16:56:26

Re: Decrypting Credit Card Data

#8 03-10-2006 16:37:01

Re: Decrypting Credit Card Data

Board footer