Ultimately, I believe their only stick they really have is to prevent you from accepting credit cards.Most merchants I have worked with were scared to death of exactly that.I don't believe it's actually illegal to store CVV info (in the sense that it's against any law), but it does violate Payment Card Industry rules, and they could impose any number of different sanctions.So, your requirements could actually result in you not being able to accept credit cards ;-( Andrew, you need to understand the PCI-DSS, no small task.Personally, I recommend Element Express, and they have a "Hosted" solution that bypasses the PCI-DSS PAPDB compliance. If you do Symmetric encryption (Passkey) then you open yourself up to some serious security vulnerabilities if the server(site) that has the key (needed to encrypt) is compromised in any way.
There are a lot of things to take into consideration.At the end of the example the Secure String is converted into a regular managed string, which makes it vulnerable again (be sure to use the try-catch-finally pattern to Zero the string after you're done with it). Make Read Only(); // Recover plaintext from a Secure String // Marshal is in the System. Interop Services namespace try catch finally If you are going to store credit card information you really need to be PCI compliant or you're just asking for trouble.Secure String's use is in reducing the surface-area of attack by limiting the number of copies the Garbage Collector will make of the value, and reducing the likelihood of being written to the swap file. Having said that look at the cell level encryption available in SQL Server 2005 and above.// Make a Secure String Secure String s Passphrase = new Secure String(); Console. Coincidentally :) I have recently given a presentation with T-SQL samples on encryption with SQL Server 2005/2008 available here: location updated December 23, 2008) It costs somewhere in the neighborhood of ,000 to become properly compliant and to be able to do that kind of stuff.Write Line("Please enter your passphrase"); Console Key Info input = Console. You are better off using a 3rd party payment service.Its only implied Payment providers can provide programmatic APIs to your merchant account and the ability to attempt a re-auth on a declined attempt. Scenario 1: Assuming all i said is true You don't have to store anything but a reference to the authorization attempt.