[H-GEN] Credit card security

[Michael Anthon]

[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

To the more security aware of you....

I have a friend that wants to convert some ASP pages to PHP.  I have had
a look at the existing stuff and it's quite simple, however I have a bit
of a concern about how it's handling credit card details and was hoping
to get some suggestions on how to do it better.

Essentially the customer fills out a simple order page and submits it.
The order details and the credit card details are stored in a database
and an email is sent to someone giving the order details and a link to a
web page to view the credit card details.  It's a manual processing
system, so the person that gets that email opens the web page to get the
CC details and processes the payment and sends the goods.  

Like I said, pretty simple, but here are my concerns.
1. The CC information is stored in the database in clear text.
2. I'm not sure whether SSL combined with .htaccess security on the web
server is good enough for this purpose.

I had a couple of thoughts on how to do this better.
1. Use public key encryption to encrypt the details and send it in the
email (don't use a database at all).  I don't think this one is
acceptable since it's possible to lose an order.
2. Same as above but store the encrypted data in the database and senda
clear text email as before without the CC details.  The web page would
give the CC details in an encrypted block that could then be cut/pasted
into whatever tool was being used by the recipient.

Anything I have missed here or any suggestions on a better way to do it?

Cheers
Michael

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.