Re:Subscriptions (Score 1)

I program retail software and we are required to follow PCI compliance rules. These rules, now much more public since the TJ Maxx incident, state that no clear text format of the credit card number can be stored in any file. For auditing purposes or to verify a purchase on a card we use RSA 1024 to encrypt the credit card number and store it in a transaction file. The only way to get that number is to have the key to decrypt. Other methods include doing a 1 way hash on the card number, or simply masking the card data. Another way to store the data is within a binary file that uses some sort of hashing algorithm to store the data. We call these keyed files. They can't be opened and read, you would need our algorithm to locate the data and properly read it. These simple steps are enough to deter credit card thieves. It would be too much of a hassle to try and figure out the numbers. I think any business that deals with sensitive information such as credit card data should be encrypting that data. It should not be easily accessed. I think its up to the businesses to make transactions secure for their customers.

In response to your comment, there are definitely times that the retailer needs that number to verify a purchase with a credit card company and public key encryption is the way to go. That way the number cant be seen by those who don't have reason to be seeing it, but available through decryption if need be. In the slim case that we cant decrypt, the 1 way hash is a backup. A hash will always be the same for a card number, but you cant de-hash the number.