Thread: doubt on how to store credit card numbers in data base in web enabled applications
View Single Post
  #3 (permalink)
Old 2nd June 2008, 01:03 PM
kidakaka
CEan - Value Adder
 
kidakaka's Avatar
 
I'm a Crazy Computer Science Engineer
Join Date: 18th October 2006
Location: Mumbai, Hyderabad
Posts: 458
Send a message via AIM to kidakaka Send a message via MSN to kidakaka Send a message via Yahoo to kidakaka Send a message via Skype™ to kidakaka
Default Re: doubt on how to store credit card numbers in data base in web enabled applicatio
Deepthi,

Answer is simple. Dont!!

If you still have to do it (in case you have your own in-house payment gateway), then atleast have the following things in place -

1. a strong SSL certificate (Thawte, Verisign, et al)
2. SSL enabled webserver
3. Stop direct access to the database server
4. Stop direct root login on the database server
5. Stop all extra ports on the database and web servers (keep the ssh port open, and that too only for one particular ip)
6. Keep a strong password policy for both your servers
7. Have all database accesses from the webserver through the internal interface and not on the external ones

And that is just the start. Ideally, seek the advice of an ethical hacker on this.

I would still stick with the first option of not storing the CC no.s
kidakaka is offline   Reply With Quote