|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
April 18th, 2002, 04:20 AM
|
||||
|
||||
|
Credit Card details protected??
I recently worked for a company who stored all the CC details of their clients in a database - unencrypted. Access over the internet was controlled by only allowing a few IP addresses to connect, (comany members/developers etc). I couldn't help thinking that there must be a safer way to deal with this data. What are your thoughts on IP blocking to protect a database. One member of the company suggested that if a fraudster wanted to get hold of CC details, there would be a much easier way of doing it - oh, and that if the company was hacked, nobody would know and the victims would never know where their CC was taken from... if you know what I mean.
What's the general voice on this topic? My cruise around these forums revealed that most of us totally disagree with the idea of storing any CC data in any form. Christo
__________________
. Spiration channels: Free scripts, programming tutorials and articles Clearprop: UK microlight school, wiltshire
|
|
#2
April 18th, 2002, 10:56 AM
|
|||
|
|||
|
I agree that the best way to protect yourself in these areas is to NOT save credit card data. But sometimes a company needs to save that data in order to handle repeated transaction, etc...
IN these cases, though, I think it is important to use the maximum amount of protection possible. Storing the data in encrypted form is one way to do this. In fact, storing encrypted data is such an easy thing to do nowadays that there is no real excuse not to do it with credit card data. Yes, encrypted data can sometimes be broken, but it's a lot more work. The second part of this is to ask the question "what programs/PHP scripts/Perl scripts are handling this data?" This could be another weak link in the chain. If you have encrypted data, but the encryption key is written in plain text right in your scripts, then what's the point? Fortunately, PHP scripts can be encrypted with the Zend Encoder. I'm not sure if there is any way to hide such data in Perl, but I believe there are methods of pre-compiling Perl scripts. Otherwise, one could consider using a compiled language such as C or Java to handle the data.
__________________
The real n-tier system: FreeBSD -> PostgreSQL -> [any_language] -> Apache -> Mozilla/XUL Amazon wishlist -- rycamor (at) gmail.com
|
|
#3
April 18th, 2002, 11:07 AM
|
||||
|
||||
|
thanks
Good to hear your thoughts, rycamor. I agree that more shold be done to protect customrs and ultimately the company.. I wonder what your thoughts are on the IP blocking solution?
Christo
|
|
#4
September 21st, 2002, 05:03 PM
|
||||
|
||||
|
Generally you don't access a database directly, you access it via some kind of interface, be this a graphical front end to the database, a Perl/PHP script, or whatever. You can limit the access rights to certain IP addresses on the interface in a number of ways, depending what the interface is.
__________________
Alex (http://www.alex-greg.com)
|
|
| Viewing: Dev Shed Forums > System Administration > Security and Cryptography > Credit Card details protected?? |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
