#1
  1. Introspective
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Nov 2001
    Location
    London, UK
    Posts
    3,317
    Rep Power
    110

    Credit Card details protected??


    I recently worked for a company who stored all the CC details of their clients in a database - unencrypted. Access over the internet was controlled by only allowing a few IP addresses to connect, (comany members/developers etc). I couldn't help thinking that there must be a safer way to deal with this data. What are your thoughts on IP blocking to protect a database. One member of the company suggested that if a fraudster wanted to get hold of CC details, there would be a much easier way of doing it - oh, and that if the company was hacked, nobody would know and the victims would never know where their CC was taken from... if you know what I mean.

    What's the general voice on this topic? My cruise around these forums revealed that most of us totally disagree with the idea of storing any CC data in any form.

    Christo
    This is me: http://chris.uk.com
  2. #2
  3. No Profile Picture
    Gödelian monster
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 1999
    Location
    Central Florida, USA
    Posts
    2,307
    Rep Power
    62
    I agree that the best way to protect yourself in these areas is to NOT save credit card data. But sometimes a company needs to save that data in order to handle repeated transaction, etc...
    IN these cases, though, I think it is important to use the maximum amount of protection possible. Storing the data in encrypted form is one way to do this.

    In fact, storing encrypted data is such an easy thing to do nowadays that there is no real excuse not to do it with credit card data. Yes, encrypted data can sometimes be broken, but it's a lot more work.

    The second part of this is to ask the question "what programs/PHP scripts/Perl scripts are handling this data?" This could be another weak link in the chain. If you have encrypted data, but the encryption key is written in plain text right in your scripts, then what's the point? Fortunately, PHP scripts can be encrypted with the Zend Encoder. I'm not sure if there is any way to hide such data in Perl, but I believe there are methods of pre-compiling Perl scripts. Otherwise, one could consider using a compiled language such as C or Java to handle the data.
    The real n-tier system:

    FreeBSD -> PostgreSQL -> [any_language] -> Apache -> Mozilla/XUL

    Amazon wishlist -- rycamor (at) gmail.com
  4. #3
  5. Introspective
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Nov 2001
    Location
    London, UK
    Posts
    3,317
    Rep Power
    110

    thanks


    Good to hear your thoughts, rycamor. I agree that more shold be done to protect customrs and ultimately the company.. I wonder what your thoughts are on the IP blocking solution?

    Christo
    This is me: http://chris.uk.com
  6. #4
  7. Full Access
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jun 2000
    Location
    London, UK
    Posts
    2,019
    Rep Power
    17
    Generally you don't access a database directly, you access it via some kind of interface, be this a graphical front end to the database, a Perl/PHP script, or whatever. You can limit the access rights to certain IP addresses on the interface in a number of ways, depending what the interface is.
    Alex
    (http://www.alex-greg.com)

IMN logo majestic logo threadwatch logo seochat tools logo