The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> System Administration
> Security and Cryptography
|
Credit Card details protected??
Discuss Credit Card details protected?? in the Security and Cryptography forum on Dev Shed.
Credit Card details protected?? Security and Cryptography forum discussing issues related to coding, server applications, network protection, data protection, firewalls, ciphers and the like.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
April 18th, 2002, 03:20 AM
|
 |
Introspective
|
|
Join Date: Nov 2001
Location: London, UK
|
|
|
Credit Card details protected??
I recently worked for a company who stored all the CC details of their clients in a database - unencrypted. Access over the internet was controlled by only allowing a few IP addresses to connect, (comany members/developers etc). I couldn't help thinking that there must be a safer way to deal with this data. What are your thoughts on IP blocking to protect a database. One member of the company suggested that if a fraudster wanted to get hold of CC details, there would be a much easier way of doing it - oh, and that if the company was hacked, nobody would know and the victims would never know where their CC was taken from... if you know what I mean.
What's the general voice on this topic? My cruise around these forums revealed that most of us totally disagree with the idea of storing any CC data in any form.
Christo
__________________
This is me: http://chris.uk.com
|
April 18th, 2002, 09:56 AM
|
|
Gödelian monster
|
|
Join Date: Jul 1999
Location: Central Florida, USA
|
|
|
I agree that the best way to protect yourself in these areas is to NOT save credit card data. But sometimes a company needs to save that data in order to handle repeated transaction, etc...
IN these cases, though, I think it is important to use the maximum amount of protection possible. Storing the data in encrypted form is one way to do this.
In fact, storing encrypted data is such an easy thing to do nowadays that there is no real excuse not to do it with credit card data. Yes, encrypted data can sometimes be broken, but it's a lot more work.
The second part of this is to ask the question "what programs/PHP scripts/Perl scripts are handling this data?" This could be another weak link in the chain. If you have encrypted data, but the encryption key is written in plain text right in your scripts, then what's the point? Fortunately, PHP scripts can be encrypted with the Zend Encoder. I'm not sure if there is any way to hide such data in Perl, but I believe there are methods of pre-compiling Perl scripts. Otherwise, one could consider using a compiled language such as C or Java to handle the data.
|
April 18th, 2002, 10:07 AM
|
|
Introspective
|
|
Join Date: Nov 2001
Location: London, UK
|
|
|
thanks
Good to hear your thoughts, rycamor. I agree that more shold be done to protect customrs and ultimately the company.. I wonder what your thoughts are on the IP blocking solution?
Christo
|
September 21st, 2002, 04:03 PM
|
 |
Full Access
|
|
Join Date: Jun 2000
Location: London, UK
Posts: 2,019
Time spent in forums: 3 sec
Reputation Power: 16
|
|
|
Generally you don't access a database directly, you access it via some kind of interface, be this a graphical front end to the database, a Perl/PHP script, or whatever. You can limit the access rights to certain IP addresses on the interface in a number of ways, depending what the interface is.
__________________
Alex
(http://www.alex-greg.com)
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
