Re: Security and MYSQL databases

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks,
I kind of suspected this, but it's good to be told. I wouldn't want to like to think my CC details were held on some database somewhere where it can get hacked into. Apart from paypal are there any other 3rd party payment processors that anyone recommends? I think we're perhaps going a little off topic here, so sorry. 

Bastien Koert wrote:
You should never [almost never ever] store cc details from your users. Integrate a 3rd party payment processor into your site and process the payments immediately. It will cut down on fraud and chargebacks by the users. Its also more secure since the cc details are not stored on your machine. What you get back is a payment confirmation number which you can store in your systemto reord that payment was approved...and if you don't get one, you know immediately its been disallowed so you can stop the process at that point. 

The issues against it are:
1. its not completely secure. You don't have direct control of the server and therefore can't assure yourself that the system is locked down tight and kept updated. 
2. Your db may not be secure enough
3. Your code may allow for holes that allow hackers to gain access to the data. 4. The liability for your business, should your data become compromised. Don't say it can't happen. Ask Playboy.com. Hackers access 8million accounts and had all the details.
If you can't use a 3rd party processor, then you still shouldn't store the data on the server, but send an encrypted email (using pgp) to yourself with the account / order details for processing. But I strongly recommend using a 3rd party processor. 

Bastien


From: "I. Gray" <phpsupport@xxxxxxxxxxxxxxxxxxxx>
To: php-db@xxxxxxxxxxxxx
Subject:  Security and MYSQL databases
Date: Tue, 14 Jun 2005 14:36:50 +0100

Hello.
Simple question. An SSL server and a standard a shared MYSQL server that I have with my hosts. If I am to set up a shopping cart system, is this a secure way of handling credit card details. What is the best way of receiving the details? I assume an email is not a good way as these can be intercepted. Is MYSQL secure enough in this way? 

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]
  Powered by Linux