Lord_Webby

I am Looking for advice on how to store credit card details securely.
I am about to develop a new website (details being finalized). The project consists of a website that requires a users credit card details to be stored to a database. Unfortunately there is no way around this (I tried to advise against storing the details - but this is a mandatory part of the business). The site requires mysql and php.

So far I have the following:

- use an ssl-ev certificate on the webserver (xampp)
- store the mysql database on another server (also xampp) and restrict permissions depending on the action taking place.
- use 256bit php encryption, and hashing for passing variables and clean mysql data (mysql_real_escape_string) before submitting it to the database.

(The site is a public site and the owners want to stay away fro the username password route for clients).

The system is for a company that claims back credit card charges. Users enter personal information and add credit card details so that the company can claim back the credit card charges. Therefore they need to store the details but users never need to access the system again (hence no login information). I was thinking of only giving the website 'write' permissions. The data can then be accessed internally only - by staff (who Will have to login to access the data). I was going to restrict access to the internal website by only allowing internal IP addresses (192.168.*.*).

I've read that amazon use a seperate server connected via a serial port because it is easy to analyse the data being passed through and check why it is being accessed. Anyone know how you would check the information being passed through the serial port?

I believe the servers will be behind a sonicwall hardware firewall.

I should also add that there are no actual transactions taking place. All transactions are delt with offline. The system just needs to be secure to hold the personal and credit card data.

I have a 256bit encryption alogithm for storing details. I was going to use sourceGuardian or similar to encode the key and php files (probably pre-encrypt the key first as well).

Does anyone have any other/more ideas on how to ensure security on the above - or perhaps a different process?
Have I missed anything?

jnjc

I think you need to do some more research as far as I know there are also physical requirements when storing credit card details ie. The server needs to be in a secure location, with restricted access etc., etc. You may also need to look at backup strategies because if one of you backups goes walk-abouts ....

As for storing, look at encrypting the data with a key before you store it in the db. When you need to access it you can un-encrypt it using the key. This means that if some does get into the DB they will also need your encryption key for the information to be useful.

You might also want to check out this link:

https://www.pcisecuritystandards.org/

__________________
www.solasit.com.au
Website Design and Development
Melbourne, Australia

datadancing

I always advice my small business clients from storing credit cards. Other than security problems there are also liability issues. If they want to do subcription/recurring payment transaction later, let payment gateway such as Authorize.net or Paypal handle that part.

-------------------------------------------------------

Kozmo

You should check with your merchant and payment gateway on their rules and restrictions for storing this information as well. Might want to check with them as well.

!card-maker

read this for help on preventing people screwing with your databases:

http://www.breach.com/resources/whit...explained.html

__________________
business card software
program based on easy to use templates

11Sale

Ask your credit card company for the subscription information, they can store it, and you can use them again and again...

__________________
11Sale.com - Domain Name + Hosting + Web Design @ $11 only