Encrypt/Decrypt Credit Card Data

  • Thread starter Thread starter David W. Fenton
  • Start date Start date
D

David W. Fenton

I don't know why this has to be so difficult. All I want is to
encrypt/decrypt credit card numbers for a client (they are now
storing them in plain text!). It seems that people don't want make
this easy.

For instance, in this article:

http://support.microsoft.com/kb/821762/

encryption is quite simply explained in VB examples.

But the decryption is in .NET, and I can't make head or tails of it.

Are the decryption routines in the same advapi32.dll that is used in
the VB example? If so, why don't they just use that?

I banged my head against the wall on this one a couple of years ago,
and just don't understand why all the examples have to be presented
in such a confusing manner.
 
There certainly is a Decrypt function in advapi32. Check this out:
http://msdn.microsoft.com/en-us/library/aa379913(VS.85).aspx
Click to expand...

Well, I looked at that and thought it didn't really help me, since
it gives me the API declaration (which is nearly identical to the
Encrypt API call, not surprisingly), but the class module from the
link I posted yesterday wraps a complex procedure around it. It
turned out that IT'S EXTREMELY SIMPLE. I just replaced the class
module's encryption subroutine with an EncryptDecrypt subroutine
that takes a Boolean that determines whether to encrypt or decrypt,
and branches the API call accordingly.

Turned out to be a piece of cake, but I don't understand why the the
KB article I started from doesn't implement something so incredibly
simple.

If anyone's interested, I'll post my working database.
 
All I want is to
encrypt/decrypt credit card numbers for a client (they are now
storing them in plain text!). It seems that people don't want make
this easy.
Click to expand...

OK, now I have the code to do the encryption/decryption. Now I need
to decide how to address the "display last 4 digits of credit card"
issue. Because I'm intending to have the users type in the password
for each credit card number before it is decrypted and revealed, I
can't just display the last 4 digits. I could do something like
store:

5225¼©Pd=cy¼ÌuQè°jÚ†Ê)8·™4

....where the first 4 digits are the last 4 unencrypted digits, and
what follows is the encrypted value, but I fear that having some of
the digits available makes it possible to crack the encryption.

Another thing I could do is use a simple seed value to encrypt the 4
digits (or the whole encrypted value, for that matter). There's also
two fields in the underlying data table I could use to obscure
things a bit.

Is this a problem with this level of encryption?
 
On 26 Jun 2009 17:45:59 GMT, "David W. Fenton"

You lost me. Of course you can display just the last 4 digits. You can
even store that (somewhat redundantly) in a separate column. Then in a
hidden field you have the full CCnumber.

-Tom.
Microsoft Access MVP
 
David W. Fenton said:
I don't know why this has to be so difficult. All I want is to
encrypt/decrypt credit card numbers for a client (they are now
storing them in plain text!). It seems that people don't want make
this easy.

For instance, in this article:

http://support.microsoft.com/kb/821762/

encryption is quite simply explained in VB examples.

But the decryption is in .NET, and I can't make head or tails of it.

Are the decryption routines in the same advapi32.dll that is used in
the VB example? If so, why don't they just use that?

I banged my head against the wall on this one a couple of years ago,
and just don't understand why all the examples have to be presented
in such a confusing manner.
Click to expand...
 
David said:
...where the first 4 digits are the last 4 unencrypted digits, and
what follows is the encrypted value, but I fear that having some of
the digits available makes it possible to crack the encryption.
Click to expand...

Encrypt the number backwards or with some other simple change so that
the four digits will not tip off a hacker that their trial decryption
key is correct?

James A. Fortune
(e-mail address removed)
 
David W. Fenton said:
I don't know why this has to be so difficult. All I want is to
encrypt/decrypt credit card numbers for a client (they are now
storing them in plain text!). It seems that people don't want make
this easy.

For instance, in this article:

http://support.microsoft.com/kb/821762/

encryption is quite simply explained in VB examples.

But the decryption is in .NET, and I can't make head or tails of it.

Are the decryption routines in the same advapi32.dll that is used in
the VB example? If so, why don't they just use that?

I banged my head against the wall on this one a couple of years ago,
and just don't understand why all the examples have to be presented
in such a confusing manner.
Click to expand...
 
Back
Top