Storing Credit Card Info

My client has a need to store credit card.  What's the best, cost effective, most secure way of doing this?  Is it just better to capture the information in the db and then download to a local db, and keep off the server?  I'm curious to know what others are doing in this situation.  Currently, the application and db (MySQL) are on a shared server. Thanks, Issac

Holy cow... thats a very scary prospect.  Obviously an SSL connection is the first step.  Then... Encrypt the data.  Don't rely on either CF or mySQL's encryption if you can all possibly avoid it.  My personal favorite encryption method is cfx_textcrypt from http://perthweb.developer.com.au but I'm sure others on the list have favorites of their own. And as soon as you can get those cc numbers off the server, do so.  Remember you have to ensure the integrity of the transaction throughout, so if you are planning on transferring to a local db then *that* connection -- be it a brute force ftp copy (possible under mysql but ugly) or a local cf server pulling data off the live box via a remote odbc connection -- has to also be ssl-secured. ------------------------------------------- Matt Robertson,     matt@mysecretbase.com MSB Designs, Inc. http://mysecretbase.com ------------------------------------------- Reply-To: cf-talk@houseoffusion.com Date: Tue, 17 Jun 2003 19:02:14 -0400 ----- Excess quoted text cut - see Original Post for more -----

> Holy cow... thats a very scary prospect.  Obviously an SSL connection is the first step.  Then... Actually, first step is moving to a NOT shared server. Virtual hosting and SSL are an issue. Sharing is an issue. Etc. Etc. And you want to make sure that the web to database connection is/can run SSL so things can't be sniffed at the ISP. > Encrypt the data.  Don't rely on either CF or mySQL's encryption if you can all possibly avoid it.  My personal favorite encryption method is cfx_textcrypt from http://perthweb.developer.com.au but I'm sure others on the list have favorites of their own. Actually, I'd highly recommend the MySQL encryption since you've got a lot of industry standard choices. CF doesn't have real encryption baked into it, though you could access the Java security toolset -- but MySQL's got all that built in. http://www.mysql.com/doc/en/Miscellaneous_functions.html Basic (keyphrase) encryption ENCRYPT()  using the Unix crypt command is OK for general crypt, but I wouldn't use credit cards ENCODE() is not cool One-way -- not the best for credit cards :) MD5() SHA1() Two-way encryption (not a bad idea for credit cards) AES_ENCRYPT() (128 bit, 256 with recompile) added in 4.02 which is awesome DES_ENCRYPT() 3DES like a Cisco PIX does to your traffic, etc. Also needs SSL I think industry standard choices are a much better choice than a 3rd party tool > And as soon as you can get those cc numbers off the server, do so. Remember you have to ensure the integrity of the transaction throughout, so if you are planning on transferring to a local db then *that* connection -- be it a brute force ftp copy (possible under mysql but ugly) or a local cf server pulling data off the live box via a remote odbc connection -- has to also be ssl-secured. > Ditto that. Regards, John Paul Ashenfelter CTO/TransitionPoint ----- Excess quoted text cut - see Original Post for more -----

John Paul Ashenfelter wrote: >Actually, first step is moving to a NOT shared server. Agreed.  Shared hosting is a horrible environment when you need serious security.  I was guessing the guy is stuck on that platform. >Actually, I'd highly recommend the MySQL encryption This is what I get for not looking at the function list for a long time. The AES option *is* awesome.  The problem I still have is that not all db's support this (only mySQL?), and I have to keep the code compatible with everything my product supports... So I'm outta luck on that score. >I think industry standard choices are a much better choice than a 3rd party tool. Yup.  That tool I gave the (bad) link to uses RSA encryption in 512, 1024 or 2048-bit key lengths.  Not sure if that's still considered an industry standard? Cheers, -------------------------------------------- Matt Robertson       matt@mysecretbase.com MSB Designs, Inc.  http://mysecretbase.com -------------------------------------------- > Holy cow... thats a very scary prospect.  Obviously an SSL connection is the first step.  Then... Actually, first step is moving to a NOT shared server. Virtual hosting and SSL are an issue. Sharing is an issue. Etc. Etc. And you want to make sure that the web to database connection is/can run SSL so things can't be sniffed at the ISP. > Encrypt the data.  Don't rely on either CF or mySQL's encryption if you can all possibly avoid it.  My personal favorite encryption method is cfx_textcrypt from http://perthweb.developer.com.au but I'm sure others on the list have favorites of their own. Actually, I'd highly recommend the MySQL encryption since you've got a lot of industry standard choices. CF doesn't have real encryption baked into it, though you could access the Java security toolset -- but MySQL's got all that built in. http://www.mysql.com/doc/en/Miscellaneous_functions.html Basic (keyphrase) encryption ENCRYPT()  using the Unix crypt command is OK for general crypt, but I wouldn't use credit cards ENCODE() is not cool One-way -- not the best for credit cards :) MD5() SHA1() Two-way encryption (not a bad idea for credit cards) AES_ENCRYPT() (128 bit, 256 with recompile) added in 4.02 which is awesome DES_ENCRYPT() 3DES like a Cisco PIX does to your traffic, etc. Also needs SSL I think industry standard choices are a much better choice than a 3rd party tool > And as soon as you can get those cc numbers off the server, do so. Remember you have to ensure the integrity of the transaction throughout, so if you are planning on transferring to a local db then *that* connection -- be it a brute force ftp copy (possible under mysql but ugly) or a local cf server pulling data off the live box via a remote odbc connection -- has to also be ssl-secured. > Ditto that. Regards, John Paul Ashenfelter CTO/TransitionPoint ----- Excess quoted text cut - see Original Post for more ----- capture > >the information in the db and then download to a local db, and keep off ----- Excess quoted text cut - see Original Post for more -----

Matt, Is there a “best practice” to store/implement the private key for cfx_textcrypt? I know the private key is one of the major keys to security of the process, and my best guess must not be stored on the server. How do you store/implement the private key? Stan Winchester AfterShock Web Design, LLC stan@aftershockweb.com http://www.aftershockweb.com/ Tel. 503-244-3440 Fax 503-244-3454 >Encrypt the data.  Don't rely on either CF or mySQL's encryption if >you can all possibly avoid it.  My personal favorite encryption method >is cfx_textcrypt from http://perthweb.developer.com.au but I'm sure >others on the list have favorites of their own. > >------------------------------------------- >Matt Robertson,     matt@mysecretbase.com >MSB Designs, Inc. http://mysecretbase.com >-------------------------------------------

>Is there a ìbest practiceî to store/implement the private key for >cfx_textcrypt? I know the private key is one of the major keys to >security of the process, and my best guess must not be stored on the >server. How do you store/implement the private key? I personally store it on my computer at home/work, with a cryptic name like old_recipes.txt or whatnot. I copy and paste into a text field and set as a session variable when I'm working with decrypting cards. Of course, this makes it impractical to use in a situation where you'd want to store a customer's card and let them return and use that card without entering it again. In that case you'd have to store the private key on the server and then the whole encryption thing is moot. -- Bud Schneehagen - Tropical Web Creations, Inc. _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Web Based Solutions / eCommerce Development & Hosting http://www.twcreations.com/ - http://www.cf-ezcart.com/ 954.721.3452 - Toll Free: 877.207.6397 - Fax: 954.721.7493

   How bad would it be to just use a long password as the encryption key? Require the password be over 10 characters and a mix of upper/lower case letters and number. This way they never have to copy and paste it in, they could just remember it. Al ----- Excess quoted text cut - see Original Post for more -----

At that point wouldn't it be easier for the customer to just type in the cc number?  If not, how much more convenient is the password vs. the card?  Worth the risk? -------------------------------------------- Matt Robertson       matt@mysecretbase.com MSB Designs, Inc.  http://mysecretbase.com --------------------------------------------    How bad would it be to just use a long password as the encryption key? Require the password be over 10 characters and a mix of upper/lower case letters and number. This way they never have to copy and paste it in, they could just remember it. Al ----- Excess quoted text cut - see Original Post for more -----

  I meant for the owner of the website... when he wants to decrypt a credit card number that is stored on the website, instead of entering the private key by copying and pasting, just use the password. Al At 09:09 AM 6/21/2003 -0700, Matt Robertson wrote: >At that point wouldn't it be easier for the customer to just type in the >cc number?  If not, how much more convenient is the password vs. the >card?  Worth the risk?

If that link doesn't work go to: http://www.perthweb.com.au/ And click on Developer. == Peter Tilbrook Internet Applications Developer Australian Building Codes Board GPO Box 9839 CANBERRA ACT 2601 AUSTRALIA       WWW: http://www.abcb.gov.au/    E-Mail: peter.tilbrook@abcb.gov.au Telephone: +61 (02) 6213 6731    Mobile: 0439 401 823 Facsimile: +61 (02) 6213 7287 Holy cow... thats a very scary prospect.  Obviously an SSL connection is the first step.  Then... Encrypt the data.  Don't rely on either CF or mySQL's encryption if you can all possibly avoid it.  My personal favorite encryption method is cfx_textcrypt from http://perthweb.developer.com.au but I'm sure others on the list have favorites of their own. And as soon as you can get those cc numbers off the server, do so.  Remember you have to ensure the integrity of the transaction throughout, so if you are planning on transferring to a local db then *that* connection -- be it a brute force ftp copy (possible under mysql but ugly) or a local cf server pulling data off the live box via a remote odbc connection -- has to also be ssl-secured. ------------------------------------------- Matt Robertson,     matt@mysecretbase.com MSB Designs, Inc. http://mysecretbase.com ------------------------------------------- Reply-To: cf-talk@houseoffusion.com Date: Tue, 17 Jun 2003 19:02:14 -0400 ----- Excess quoted text cut - see Original Post for more -----

Thx Peter.  Looks like a bit of dyslexia crept into my fingers :D --Matt-- If that link doesn't work go to: http://www.perthweb.com.au/ And click on Developer. == Peter Tilbrook Internet Applications Developer Australian Building Codes Board GPO Box 9839 CANBERRA ACT 2601 AUSTRALIA       WWW: http://www.abcb.gov.au/    E-Mail: peter.tilbrook@abcb.gov.au Telephone: +61 (02) 6213 6731    Mobile: 0439 401 823 Facsimile: +61 (02) 6213 7287 Holy cow... thats a very scary prospect.  Obviously an SSL connection is the first step.  Then... Encrypt the data.  Don't rely on either CF or mySQL's encryption if you can all possibly avoid it.  My personal favorite encryption method is cfx_textcrypt from http://perthweb.developer.com.au but I'm sure others on the list have favorites of their own. And as soon as you can get those cc numbers off the server, do so. Remember you have to ensure the integrity of the transaction throughout, so if you are planning on transferring to a local db then *that* connection -- be it a brute force ftp copy (possible under mysql but ugly) or a local cf server pulling data off the live box via a remote odbc connection -- has to also be ssl-secured. ------------------------------------------- Matt Robertson,     matt@mysecretbase.com MSB Designs, Inc. http://mysecretbase.com ------------------------------------------- Reply-To: cf-talk@houseoffusion.com Date: Tue, 17 Jun 2003 19:02:14 -0400 ----- Excess quoted text cut - see Original Post for more -----

Isaac, I think this book has been recommended here before... 'Translucent Databases' by Peter Wayner. It deals with all sorts of database/encryption issues. Gl, alex My client has a need to store credit card.  What's the best, cost effective, most secure way of doing this?  Is it just better to capture the information in the db and then download to a local db, and keep off the server?  I'm curious to know what others are doing in this situation.  Currently, the application and db (MySQL) are on a shared server. Thanks, Issac

I'm about to embark on processing CC transactions for the first time as well ... Isn't it best to not record the CC information in a database at all if possible... just transmit the CC info securely as possible to a processor (ex. Authorize.net) ? I know some sites (ex. Amazon etc.) do maintain this info though in a DB for frequent buyers ... Are there any advantages that make it imperative to deep this info in a db Tim Isaac, I think this book has been recommended here before... 'Translucent Databases' by Peter Wayner. It deals with all sorts of database/encryption issues. Gl, alex My client has a need to store credit card.  What's the best, cost effective, most secure way of doing this?  Is it just better to capture the information in the db and then download to a local db, and keep off the server?  I'm curious to know what others are doing in this situation.  Currently, the application and db (MySQL) are on a shared server. Thanks, Issac

Data (as in the credit card numbers) will always be most secure if it's not saved anywhere.  But that means that, every time a return customer wants to place another order, she has to retype the credit card info. A lot of online shops, including the big players like Amazon, don't actually process your credit card on the website while you wait.  Notice how Amazon sends you an email when you place the order and another one to let you know that your order has been approved.  I don't have any inside info as to how Amazon actually handles their data, but I wouldn't be surprised if the *COMPLETE* credit card data is stored offsite and only summary info (last 4 digits of credit card number, expiration date) are stored onsite.  This provides a significant amount of security while also allowing convenience. Another thing that online shops are starting to do is to require that the CVV2 code be entered for all transactions.  This is a 3-4 digit number that is printed on your card and helps to authenticate the full credit card number.  All of the shops using CVV2 that I've heard of require that you enter it every time.  Again, a trade off in security and convenience.  This is more secure than the above but actually requires that I have the credit card on hand (or memorize the CVV2). -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 Email: mosh.teitelbaum@evoch.com WWW: http://www.evoch.com/ ----- Excess quoted text cut - see Original Post for more -----

If I remember correctly, the Visa/MasterCard rules REQUIRE you to keep record of all transactions for a period of time (2 years?).  Many people do this via a database... some print to hard copy. -Novak ----- Excess quoted text cut - see Original Post for more -----

If I'm not mistaken though, you can adhere to those rules by storing the authorization number.  Much safer than storing the cc#...  And still proof that you got the transaction. If I remember correctly, the Visa/MasterCard rules REQUIRE you to keep record of all transactions for a period of time (2 years?).  Many people do this via a database... some print to hard copy. -Novak ----- Excess quoted text cut - see Original Post for more -----

Hi Stan, You guessed it:  I train the client to keep the private key in a text file on their own desktop or someplace safe locally. Let me back up a step: First thing I do is build a cf template that generates public and private keys, and shows those keys to the client via an ssl connection. The template generates the keys and the client -- at their physical office location -- plants the public key into a form field that then stores it onto the server, also on ssl.  They take the private key and copy it to a local text file. When they come back the next day to their app they have to go to an 'input your key' form (ssl again) where they paste in the private key.  I then take that value and store it in a session cookie... NOT a regular cookie as that gets stored on the local HD, and not a client variable since that gets stored on the server where it can be harvested by a hacker from the client variable db(!).   Using a session cookie also has the secondary effect of killing the key when the browser is closed, and keeping it clean off the server even after its instantiated.  I could use session vars but my app doesn't use CF session mgmt to maintain state. If the client is a basket case and I have to generate keys for them I mail the key to them on a disk.   As you can guess none of this is convenient, but I tell the client this is the tradeoff for true security, exhibition of due diligence and limitation of liability.  Explaining how doing this right helps keep them from losing a lawsuit always gets their attention. Cheers, ------------------------------------------- Matt Robertson,     matt@mysecretbase.com MSB Designs, Inc. http://mysecretbase.com ------------------------------------------- Reply-To: cf-talk@houseoffusion.com Date: Fri, 20 Jun 2003 19:59:37 -0400 ----- Excess quoted text cut - see Original Post for more -----

Matt Robertson wrote: > You guessed it:  I train the client to keep the private key in a text > file on their own desktop or someplace safe locally. I've been thinking about doing something with one of those USB thumb drives - I don't know about the rest of the world but here in Australia you can now get the smallest (64MB, USB2) for around 20 bucks. Seems to me like a nice way of doing it - tell the client that when they're finished, they should unplug the "key" and put it back in the locked drawer or filing cabinet or whatever. We're even thinking of writing some kind of little Windows utility on it that pastes the key (stored on the drive) into the clipboard or even looks for the form field in the browser window. Just to cut out a step for the less-than-savvy client - and we all have *at least* one of those :) Anyway, I don't keep up with CFTALK as much as I'd like these days, but I work for PerthWeb, developers of cardcrypt and textcrypt. We also have a Windows-based decryption utility now, so you can encrypt the credit card number and email it to our client for manual processing if they don't have real-time processing (and you don't want to mess with PGP licensing). If anyone has any questions about any of our encryption products, please email me directly (kay@perthweb.com.au). Cheers, Kay.

Kay, Isn’t technology great! I think the USB thumb drive is a wonderful idea! If you could make a Windows utility and make using cfx_textcrypt / cfx_cardcrypt a turn key process, then that is even better! When I first asked my question about if there was a “best practice” to store/implement the private key for cfx_textcrypt, I had no idea I would get this kind of input. I am really impressed with the CF-Talk community, and the way everyone pulls together to help each other. Thank you to all CF-Talkers, Stan Winchester AfterShock Web Design, LLC stan@aftershockweb.com http://www.aftershockweb.com/ Tel. 503-244-3440 Fax 503-244-3454 ----- Excess quoted text cut - see Original Post for more -----

I second Stan's comments.  That is an outstanding idea, Kate!  I have *exactly* the client who needs that solution; and realistically, probably all of them.  Sounds like a great convenience upgrade. Some guy is selling 16mb units with an erase protection switch and optional password protection for US$1.99 each.  $9.95 shipping but I bet I can get a bulk deal.  That'll let me stock up and just hand a client a key.  Great excuse to visit the locals and show my smiling face. Cheers, -------------------------------------------- Matt Robertson       matt@mysecretbase.com MSB Designs, Inc.  http://mysecretbase.com -------------------------------------------- Kay, Isn't technology great! I think the USB thumb drive is a wonderful idea! If you could make a Windows utility and make using cfx_textcrypt / cfx_cardcrypt a turn key process, then that is even better! When I first asked my question about if there was a "best practice" to store/implement the private key for cfx_textcrypt, I had no idea I would get this kind of input. I am really impressed with the CF-Talk community, and the way everyone pulls together to help each other. Thank you to all CF-Talkers, Stan Winchester AfterShock Web Design, LLC stan@aftershockweb.com http://www.aftershockweb.com/ Tel. 503-244-3440 Fax 503-244-3454 ----- Excess quoted text cut - see Original Post for more -----

Hmmm... well, I've got our programmers thinking up what would be the best way to automate it as much as possible. The problem is that I think USB devices don't allow "autorun" programs. So there'd need to be some kind of manual input from the user to start the process, unless you had a Windows program installed on their computer looking for the USB drive, which starts to get way more messy than anyone wants. If anyone has any ideas about this, please let me know! Kay.

Matt, Did you have a URL for the guy you mentioned below? -Novak ----- Excess quoted text cut - see Original Post for more -----

Go to ebay and search for '16mb usb pen drive'.  You'll get a boatload of 'em.  The one I just bought was the PingTec one with the squared off design. Looks like a single operator - the mfr - is selling under several different names.  And the $1.99 price is pure BS.  They have $9.95 shipping (no qty discounts) plus a mandatory $1 insurance charge.  Since they use USPS priority mail they are obviously padding their so-called sale price. Makes the price $12.94, which is still reasonable.  Asked the buyer what price he'd quote me for 12 units.  His response was $14.  Must have figured I couldn't add or something. -------------------------------------------- Matt Robertson       matt@mysecretbase.com MSB Designs, Inc.  http://mysecretbase.com -------------------------------------------- Matt, Did you have a URL for the guy you mentioned below? -Novak > I second Stan's comments.  That is an outstanding idea, Kate!  I have > *exactly* the client who needs that solution; and realistically, > probably all of them.  Sounds like a great convenience upgrade. > > Some guy is selling 16mb units with an erase protection switch and > optional password protection for US$1.99 each.  $9.95 shipping but I bet > I can get a bulk deal.  That'll let me stock up and just hand a client a ----- Excess quoted text cut - see Original Post for more ----- idea! > If you could make a Windows utility and make using cfx_textcrypt / > cfx_cardcrypt a turn key process, then that is even better! When I first > asked my question about if there was a "best practice" to > store/implement the private key for cfx_textcrypt, I had no idea I would ----- Excess quoted text cut - see Original Post for more ----- text ----- Excess quoted text cut - see Original Post for more ----- in ----- Excess quoted text cut - see Original Post for more ----- want ----- Excess quoted text cut - see Original Post for more -----

For my own purposes, I was thinking of having the user click an icon to save a generated key onto a certain drive.  At that point the key and its folder off the root would be named by CF to something CF would know later, automatically (i.e. use some formula for a filename, like /privatekey/applicationname.txt). That presupposes I can do something where CF determines a list of available drives.  Haven't taken the time to figure out if CF has any built-in functions to help with that task, or if its even possible. If the user plugs in a USB pen drive and knows that drive is E: drive, they just direct the key to be stored there. Retrieval would, ideally, be CF searching all available drives for the /privatekey/ folder and, when it finds same, search for currentapplicationname.txt.  Once it finds that it reads the contents of the file and off it goes. The user experience once the key is stored would then be: 1. User plugs ''key'' into computer. 2. User uses application.   The application does the above key search on its own if its asked to display an encrypted item.  The private key is not stored in persistent memory, so removing the physical ''key'' (i.e. the USB pen drive) disables decryption. Have to figure a way for CF to determine a list of all available drives for the above to work. ------------------------------------------- Matt Robertson,     matt@mysecretbase.com MSB Designs, Inc. http://mysecretbase.com ------------------------------------------- Reply-To: cf-talk@houseoffusion.com Date: Mon, 23 Jun 2003 22:20:50 -0400 >Hmmm... well, I've got our programmers thinking up what would be the best way to automate it as much as possible. The problem is that I think USB devices don't allow "autorun" programs. So there'd need to be some kind of manual input from the user to start the process, unless you had a Windows program installed on their computer looking for the USB drive, which starts to get way more messy than anyone wants. > >If anyone has any ideas about this, please let me know! > >Kay.

How many users will have access to the generated key?  If it is just one client, then you can store the location of the key, in the database containing the user name and password.  If you can do that, it will save you a lot of code. ====================================== Stop spam on your domain, use our gateway! For hosting solutions http://www.clickdoug.com ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772 ====================================== If you are not satisfied with my service, my job isn't done! | For my own purposes, I was thinking of having the user click an icon to save a generated key onto a certain drive.  At that point the key and its folder off the root would be named by CF to something CF would know later, automatically (i.e. use some formula for a filename, like /privatekey/applicationname.txt). | | That presupposes I can do something where CF determines a list of available drives.  Haven't taken the time to figure out if CF has any built-in functions to help with that task, or if its even possible. | | If the user plugs in a USB pen drive and knows that drive is E: drive, they just direct the key to be stored there. | | Retrieval would, ideally, be CF searching all available drives for the /privatekey/ folder and, when it finds same, search for currentapplicationname.txt.  Once it finds that it reads the contents of the file and off it goes. | | The user experience once the key is stored would then be: | | 1. User plugs ''key'' into computer. | | 2. User uses application. | | The application does the above key search on its own if its asked to display an encrypted item.  The private key is not stored in persistent memory, so removing the physical ''key'' (i.e. the USB pen drive) disables decryption. | | Have to figure a way for CF to determine a list of all available drives for the above to work. | | ------------------------------------------- |  Matt Robertson,     matt@mysecretbase.com |  MSB Designs, Inc. http://mysecretbase.com | ------------------------------------------- | | | ---------- Original Message ---------------------------------- | From: Kay Smoljak <kay@perthweb.com.au> | Reply-To: cf-talk@houseoffusion.com | Date: Mon, 23 Jun 2003 22:20:50 -0400 | | >Hmmm... well, I've got our programmers thinking up what would be the best way to automate it as much as possible. The problem is that I think USB devices don't allow "autorun" programs. So there'd need to be some kind of manual input from the user to start the process, unless you had a Windows program installed on their computer looking for the USB drive, which starts to get way more messy than anyone wants. | > | >If anyone has any ideas about this, please let me know! | > | >Kay. | > |

>That presupposes I can do something where CF determines a list of >available drives.  Haven't taken the time to figure out if CF has any >built-in functions to help with that task, or if its even possible. Hmmm... wouldn't you need some kind of signed ActiveX object or something to allow the browser access to the user's filesystem? K.

Yup it sure would.  Didn't think that post thru too well.  The user will have to initiate the key load via a file upload-type form.  Also key storage after creation will have to be pushed with cfcontent so that a file dialog opens up and the user makes the hopefully correct decision on where to store it.

> For my own purposes, I was thinking of having the user click an icon to save a generated > key onto a certain drive.  At that point the key and its folder off the root would be   > named by CF to something CF would know later, automatically (i.e. use some formula for a > filename, like /privatekey/applicationname.txt). If you can make the requirement for the system be win2k or better, drives can be mounted at any point in the drive tree. Im not sure how you tell win2k how to mount it in a certain place. That means that you can make the key mount in the users home directory, with a known name. Jon.