According to Magento:
Strong Data Encryption, Hashing and Key Management Strong data
encryption based on AES-256 and strong hashing based on SHA-256.
Database keys are easily managed and updated.
From my understanding and some quick glances at code:
Community is mainly Mcrypt and Blowfish (ECB Mode) based, as Don pointed out in the comments.
Enterprise uses a custom class for PCI compliance which uses both Mcrypt and Blowfish as with different cyphers and stronger encryption.
MCRYPT_RIJNDAEL_128
,MCRYPT_RIJNDAEL_256
,HASH_VERSION_SHA256
,etc.
Both using a combination of MD5, salting and hashes.
You can override the encryption models if you wished to use your own:
/**
* @return Mage_Core_Model_Encryption
*/
public function getEncryptor()
{
if ($this->_encryptor === null) {
$encryptionModel = (string)Mage::getConfig()->getNode(self::XML_PATH_ENCRYPTION_MODEL);
if ($encryptionModel) {
$this->_encryptor = new $encryptionModel;
} else {
$this->_encryptor = Mage::getModel('core/encryption');
}
$this->_encryptor->setHelper($this);
}
return $this->_encryptor;
}
With that said, storing Credit Card data makes you a target and future legal issues possibly.
However I have seen scrapping hacks that are capturing data input before it is encrypted and logging it. So simply not storing them makes you immune either. This is proof that other exploits outside of Magento in its stack should always be considered.
As far as encryption strength, that would be a better question for:
Other related documents to read:
There's a great post about this on stackoverflow. You can check the answers here: https://stackoverflow.com/questions/72768/how-do-you-detect-credit-card-type-based-on-number.
The two post important excerpts:
Visa: ^4[0-9]{6,}$
Visa card numbers start with a 4.
MasterCard: ^5[1-5][0-9]{5,}$
MasterCard numbers start with the
numbers 51 through 55, but this will only detect MasterCard credit
cards; there are other cards issued using the MasterCard system that
do not fall into this IIN range.
American Express: ^3[47][0-9]{5,}$
American Express card numbers
start with 34 or 37.
Diners Club: ^3(?:0[0-5]|[68][0-9])[0-9]{4,}$
Diners Club card
numbers begin with 300 through 305, 36 or 38. There are Diners Club
cards that begin with 5 and have 16 digits. These are a joint venture
between Diners Club and MasterCard, and should be processed like a
MasterCard.
Discover: ^6(?:011|5[0-9]{2})[0-9]{3,}$
Discover card numbers begin
with 6011 or 65.
JCB: ^(?:2131|1800|35[0-9]{3})[0-9]{3,}$
JCB cards begin with 2131,
1800 or 35.
And a full class actually
class CreditcardType
{
public static $creditcardTypes = array(
array('Name'=>'American Express','cardLength'=>array(15),'cardPrefix'=>array('34', '37'))
,array('Name'=>'Maestro','cardLength'=>array(12, 13, 14, 15, 16, 17, 18, 19),'cardPrefix'=>array('5018', '5020', '5038', '6304', '6759', '6761', '6763'))
,array('Name'=>'Mastercard','cardLength'=>array(16),'cardPrefix'=>array('51', '52', '53', '54', '55'))
,array('Name'=>'Visa','cardLength'=>array(13,16),'cardPrefix'=>array('4'))
,array('Name'=>'JCB','cardLength'=>array(16),'cardPrefix'=>array('3528', '3529', '353', '354', '355', '356', '357', '358'))
,array('Name'=>'Discover','cardLength'=>array(16),'cardPrefix'=>array('6011', '622126', '622127', '622128', '622129', '62213',
'62214', '62215', '62216', '62217', '62218', '62219',
'6222', '6223', '6224', '6225', '6226', '6227', '6228',
'62290', '62291', '622920', '622921', '622922', '622923',
'622924', '622925', '644', '645', '646', '647', '648',
'649', '65'))
,array('Name'=>'Solo','cardLength'=>array(16, 18, 19),'cardPrefix'=>array('6334', '6767'))
,array('Name'=>'Unionpay','cardLength'=>array(16, 17, 18, 19),'cardPrefix'=>array('622126', '622127', '622128', '622129', '62213', '62214',
'62215', '62216', '62217', '62218', '62219', '6222', '6223',
'6224', '6225', '6226', '6227', '6228', '62290', '62291',
'622920', '622921', '622922', '622923', '622924', '622925'))
,array('Name'=>'Diners Club','cardLength'=>array(14),'cardPrefix'=>array('300', '301', '302', '303', '304', '305', '36'))
,array('Name'=>'Diners Club US','cardLength'=>array(16),'cardPrefix'=>array('54', '55'))
,array('Name'=>'Diners Club Carte Blanche','cardLength'=>array(14),'cardPrefix'=>array('300','305'))
,array('Name'=>'Laser','cardLength'=>array(16, 17, 18, 19),'cardPrefix'=>array('6304', '6706', '6771', '6709'))
);
private function __construct() {}
public static function getType($CCNumber)
{
$CCNumber= trim($CCNumber);
$type='Unknown';
foreach (CreditcardType::$creditcardTypes as $card){
if (! in_array(strlen($CCNumber),$card['cardLength'])) {
continue;
}
$prefixes = '/^('.implode('|',$card['cardPrefix']).')/';
if(preg_match($prefixes,$CCNumber) == 1 ){
$type= $card['Name'];
break;
}
}
return $type;
}
}
Best Answer
The encrypted credit card numbers are stored in the
cc_number_enc
column of thesales_flat_order_payment
table. With this SQL query you can delete them all:To delete all credit card data, do the same with the other columns that start with
cc_
: