You should never [almost never ever] store cc details from your users.
Integrate a 3rd party payment processor into your site and process the
payments immediately. It will cut down on fraud and chargebacks by the
users. Its also more secure since the cc details are not stored on your
machine. What you get back is a payment confirmation number which you can
store in your systemto reord that payment was approved...and if you don't
get one, you know immediately its been disallowed so you can stop the
process at that point.
The issues against it are:
1. its not completely secure. You don't have direct control of the server
and therefore can't assure yourself that the system is locked down tight and
kept updated.
2. Your db may not be secure enough
3. Your code may allow for holes that allow hackers to gain access to the
data.
4. The liability for your business, should your data become compromised.
Don't say it can't happen. Ask Playboy.com. Hackers access 8million accounts
and had all the details.
If you can't use a 3rd party processor, then you still shouldn't store the
data on the server, but send an encrypted email (using pgp) to yourself with
the account / order details for processing. But I strongly recommend using
a 3rd party processor.
Bastien
From: "I. Gray" <phpsupport@xxxxxxxxxxxxxxxxxxxx>
To: php-db@xxxxxxxxxxxxx
Subject: Security and MYSQL databases
Date: Tue, 14 Jun 2005 14:36:50 +0100
Hello.
Simple question. An SSL server and a standard a shared MYSQL server that I
have with my hosts. If I am to set up a shopping cart system, is this a
secure way of handling credit card details. What is the best way of
receiving the details? I assume an email is not a good way as these can be
intercepted. Is MYSQL secure enough in this way?
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
