On Fri, 6 Jan 2006, Neil Smith [MVP, Digital media] wrote:
Peter Beckman wrote:
So I'm thinking about how to save credit card numbers in the DB, for
re-charging cards for subscriptions, new orders, etc.
Yes yes, lawsuits, scary, etc.
I'm glad you're so blase about this and the threat of your business going
Not blase -- just sick of hearing "don't do it" "you'll get sued"
"impossible" "what's wrong with you"
I want to secure this information, responsibly. How? (You answer this
below)
Security by obscurity is a myth.
I believe you -- and if obscurity is a myth, let's document how it can be
done safely for all the world to see and learn!
*DO NOT* store any credit card numbers on any publically accessible
system. Ever. Period.
Sometimes when questions are asked a background of the knowledge of the
poster is not given. I would never do that. A server that is connected
to the internet directly storing credit cards is asking for a lawsuit.
It's got a sign with "please hack me" on it.
OK now to the candy : I've had this book a while, and it's one of the most
insightful and well researched (from experience) books on security I've ever
read. In fact - so good I'm going to go to the trouble to retype an excerpt
of a section called "One-Way Credit Card Data Path for Top Security"
(Bob Toxen) have come up with the concept of a one-way credit card data path.
Now THAT is exactly what I was looking for -- THANKS! I'll go get the
book.
(snipped section about spot welded steel pipes encasing LAN cable !)
*laugh* That might be a bit of overkill... but I get the idea.
The CC server then contacts the processing bank through the private network
to charge the amt, store the authorisastion number if successful and returns
either "Success" or an appropriate error message
Obviously most CC auths are via the 'net + SSL, private networks don't
apply (and they are kind of cost prohibitive). If you have a
router/firewall/ipfw between your CC and the 'net, blocking incoming but
allowing outgoing to your cc auth host ip(s), is that good enough? What
else can be done?
As Bob's book is so bloody good, here's the ASIN for it in case you want
to read all 650 pages of good advice ;-)
http://www.amazon.com/gp/product/0130464562/qid=1136589506/sr=8-1/ref=pd_bbs_1/104-3174210-9795945?n=507846
Thank you Neil -- sold!
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman@xxxxxxxxxxxxx http://www.purplecow.com/
---------------------------------------------------------------------------
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
