[Gllug] OT : Credit cards in a MySQL Database
Richard Cottrill
richard_c at tpg.com.au
Tue Jun 17 11:12:29 UTC 2003
I have seen it done; but I wouldn't unless I had no choice. The risk is
too high for me. People can bleat about "you should make it secure" (and
you should); but that's no reason to tempt fate, invite trouble, etc.
Either way, yes, I would encrypt the data, make the server physically
secure, be very sure that you have vetted all employees with (physical
or virtual) access, don't send the credit card numbers across any
network if you can avoid it (encrypted or not - send hashes where
appropriate).
I'd set up a separate server that had no route to the Internet, that had
a single purpose of storing and providing sensitive data. I'd write a
very small, simple application to shift data between this separate
machine and the web server (the idea is this is a very simple
application so it's easily secured - there are just less opportunities
to make mistakes).
I believe that security is about putting as many obstacles in the way of
potential intruders as possible. Harden your system as far as is
possible, then obfuscate.
A server with credit card details WILL attract unwanted attention of the
motivated and competent variety. You should be paranoid.
Richard
Calvin la Cock wrote:
> Hi,
>
> I'm busy developing an e-commerce site that takes cash bookings that is
> secured via a credit card number.
>
> How can I safely safe credit card details in MySQL ? or any other sensitive
> information ? encryption ??
>
> Any ideas will help.
>
>
> Also, any online transaction clearing companies that you lot worked with
> that is good ? Anyone worked with WorldPay ?
>
> Many thanks
> Calvin la Cock
>
>
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list