PHP form security

software development

#1

We have a few forms on our site that utilize PHP for the form processing. An example is a form which takes the visitors information and writes the credit card information to a file within a password protected directory, and emails us (with CC info removed) to notify that an order was submitted. We then access the form information from a web browser at another address to get the form data.

The form utilizes a php file in the root directory of my domain. Is there a way to move/change this file so that it is not viewable to visitors but still can be used to securely process the form? This would just be an additional security precaution so that no one can hit that file directly through a web browser. Any ideas would be appreciated. Thanks!

  • Jorma

#2

Storing cardholder data in a plain-text file is a gross violation of the PCI-DSS requirements (which you agreed to when you got a merchant account); placing a password on the directory does not negate the fact that it’s still being stored unencrypted on the server hard disk.

Please review the requirements for PCI compliance. You may want to consider using an external payment processing service instead of processing charges yourself so that you don’t need to handle cardholder data.


#3

Thanks for the info, appreciate the quick response. Sounds like we need to run crypto ( http://crypto.stanford.edu/sjcl/ ) on the form… or find a 3rd party payment system.


#4

SJCL is unlikely to be useful, as it only supports symmetric cryptography. As such, using it to encrypt cardholder data on input would require that you send the encryption keys to users’ web browsers, making them public (and hence making the encryption pointless).


#5

Thanks Andrew. Would you recommend using GNU Privacy Guard (GPG) on the server to encrypt the form data and then have it mailed it to us as encrypted text? We could then use GPG on our desktop computer to decrypt it. It seems that would meet the PCI encryption requirements since the data would be encrypted and not stored on the server. Please let me know what you think… and thanks again for your suggestions.


#6

So long as it’s implemented correctly, I suspect that would probably be compliant. You’d have to make certain that the form data was not written to disk, even as a temporary file, in the encryption process.


#7

It is very risky to do this on a shared server. I’ll suggest you to deal with a PSP that supports stored payments. PSP stores the credit card number and usually they will give you a token to access the payment.


#8

Thanks Patrick. We are on a VPS, so it should be safer than a on a shared account. Thanks for your suggestions though.


#9

Please read this carefully if you are thinking to store credit card numbers
http://www.pcicomplianceguide.org/pcifaqs.php

It is not only to encrypt the number. There are more things for you to worry about. I’m not sure whether your system will be audited, if so, please check with your local auditors.

I’ll still suggest you to leave it with PSP. Usually PSP stores credit card number and passes you a token. You will use the token to talk to PSP and charge customers.