[kwlug-disc] [OT] voip fax/email to fax/ ccards

[Adam Glauser]

John Van Ostrand wrote:
> ----- "Bob Jonkman" <bjonkman at sobac.com> wrote:
>> Why decrypt the number before storing it in the database?  Wouldn't 
>> storing the encrypted number protect against things like stolen 
>> databases, or lost backups of databases?  Any application with 
>> legitimate need to access the credit card number should be a holder of
>> the decryption key.
> 
> Good point. Although the email would have be decrypted to get the number, it could be held encrypted in the database to thwart hackers.

This may even be required by the card issuers.  I don't know to what 
extent this applies in Canada, or to smaller businesses, but there was 
frequent mention of PCI (Payment Card Industry) rules in the IBM 
Midrange forums I used to frequent.

My understanding is that they may revoke your card processing privileges 
if certain standards of security are not followed.