API Security - Sending CC info
Im trying to design a payments API, and it require开发者_高级运维s the sending of CC info over the wire. So for this I was thinking of using a public key to encrypt the CC info and decrypt it on the server. Keep in mind that the connection is https also. Any suggestions on the topic?
If the connection is https encrypting it a second time won't do any good, except if someone breaks SSL/TLS. In that case trust me your API will be the least of the world's problems..
If the connection is HTTPS, no need to encrypt the CC details.
In contrast to the earlier answers I would strongly suggest you read up on PCI-DSS. Basically you want to keep the card number encrypted until it is absolutely needed in plain text, such as when authorizing or settling. Its not clear what exactly your api calls will do, but at a guess you almost certainly don't want the card number to appear in plain text as soon as it hits your webservice.
In addition if you have a client side component that captures card details, then that will fall under the scrutiny of PA-DSS.
精彩评论