| Author |
 Topic  |
|
KHeon
Posting Yak Master
USA
135 Posts |
 Posted - 06/05/2002 : 11:52:16
|
I work for a company that has been building web apps for 8 years for various clients. Not once have we stored credit card information in a database, even when the client requested it, we talked them out of it.
However, if we ever got a point where we decided we were going to store credit cards in the database we'd be encrypting them for sure (Public/Private Key) and I'd imagine we'd go so far as cycling the key pair, if not generating a new key/pair for each entry (that might be undoable, not sure, like I said we've never done it).
Glad to see that you are at least being proactive. Security is a big thing these days, and I agree it's tough to get it right, especially the first time. Other things to consider in terms of security is to make sure that your system isn't susceptible to "SQL Injection" because if it is, a clever hacker could retrieve the credit card information without even having physical access to your server. Search this site (and forum) for more information on SQL Injection.
Good luck!
Kyle Heon
PixelMEDIA, Inc.
Senior Application Programmer, MCP
kheon@pixelmedia.com |
 |
|
|
JamesH
Posting Yak Master
USA
149 Posts |
Posted - 06/05/2002 : 15:52:36
|
Great point about sql injection. It's really misunderstood and many programmers that I've talked to think that it's a far fetched DBA scare tactic to make them code a little cleaner.
Here's a link to a site devoted to SQL Security. I forgot to post it this morning.
http://www.sqlsecurity.com
JamesH.
|
|
|
|
rrb
SQLTeam Poet Laureate
Australia
1478 Posts |
Posted - 06/05/2002 : 19:16:52
|
quote:
maybe rrb needs to get a hobby without a keyboard.
hobby?? keyboard?? Funny you should mention that to an old muso... ...OK back to drums it is
PS - Thanks for the links on security. I'd love to see some more security articles oh rob-TWISTED is my middle name-volk
--
I hope that when I die someone will say of me "That guy sure owed me a lot of money" |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
Australia
4970 Posts |
Posted - 06/05/2002 : 19:24:23
|
Funny you should mention that. I have a half written one on SQL Injection.
Maybe I should finish that one off.
Damian |
|
|
|
KHeon
Posting Yak Master
USA
135 Posts |
Posted - 06/06/2002 : 07:22:31
|
www.sqlsecurity.com is a great site for learning how to better secure your server, even though they provide you tools to "break" into your server as well. :)
Yeah, the company I work for has finally begun to move to SQL Server as our primary website database (for our clients) which makes me very happy (considering I just spent the past year taking SQL Server courses and cramming for my Microsoft Certification) and SQL Injection has been a big thing. We've spent a lot of time reading on how to write better code to stop it.
Thanks!
Kyle Heon
PixelMEDIA, Inc.
Senior Application Programmer, MCP
kheon@pixelmedia.com |
|
|
|
JamesH
Posting Yak Master
USA
149 Posts |
Posted - 06/06/2002 : 12:05:42
|
See, I'm glad to see that someone has realized what prevents problems like this to begin with.
quote:
We've spent a lot of time reading on how to write better code to stop it
I don't know how many poeple that I've interviewed over the last two years that seem to have never learned the fundamentals, ie how to properly design a database how to write proper code. I can't count the number of times I've heard, "Well, we never built a ER Diagram 'cause we did it as we went along". And I know it's going well when I see that 1000 yard stare when I start grilling them about cardinalities and Database design. Don't get me started with the comments I've gotten when I as for Queries...
JamesH.
|
|
|
|
aclarke
Posting Yak Master
Canada
133 Posts |
Posted - 08/08/2002 : 20:33:32
|
Not sure how useful this will be a couple months later, but...
If you really need to store your Credit Card numbers for some reason and really need to use a shared SQL Server host, you can at least encrypt the information into your database. Of course, if your application is on the same server or is hosted with the same company, this won't do you MUCH good, but if you can keep the encryption key separate from the Database Server, encryption is a good step to take.
Edited by - aclarke on 08/08/2002 20:36:48 |
|
|
|
Tim
Starting Member
Australia
392 Posts |
Posted - 08/13/2002 : 02:21:51
|
An alternative is to outsource it. Read the information for businesses at http://www.passport.com - You might even justify the cost by the reduced development you need to do.
I am not pimping for Microsoft, there are probably similar services from other vendors out there.
Besides I am not keen on Microsoft after what they did to Nancy...
----
Nancy Davolio: Best looking chick at Northwind 1992-2000
Edited by - tim on 08/13/2002 02:23:12 |
|
|
|
Topic |
|
Is DTS Secure for credit card backup to Access?
