SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 SQL Server 2000 Forums
 Import/Export (DTS) and Replication (2000)
 Is DTS Secure for credit card backup to Access?
 New Topic  Reply to Topic
 Printer Friendly
Previous Page
Author Previous Topic Topic Next Topic
Page: of 2

KHeon
Posting Yak Master

USA
135 Posts

Posted - 06/05/2002 :  11:52:16  Show Profile  Visit KHeon's Homepage  Reply with Quote
I work for a company that has been building web apps for 8 years for various clients. Not once have we stored credit card information in a database, even when the client requested it, we talked them out of it.

However, if we ever got a point where we decided we were going to store credit cards in the database we'd be encrypting them for sure (Public/Private Key) and I'd imagine we'd go so far as cycling the key pair, if not generating a new key/pair for each entry (that might be undoable, not sure, like I said we've never done it).

Glad to see that you are at least being proactive. Security is a big thing these days, and I agree it's tough to get it right, especially the first time. Other things to consider in terms of security is to make sure that your system isn't susceptible to "SQL Injection" because if it is, a clever hacker could retrieve the credit card information without even having physical access to your server. Search this site (and forum) for more information on SQL Injection.

Good luck!

Kyle Heon
PixelMEDIA, Inc.
Senior Application Programmer, MCP
kheon@pixelmedia.com
Go to Top of Page

JamesH
Posting Yak Master

USA
149 Posts

Posted - 06/05/2002 :  15:52:36  Show Profile  Reply with Quote
Great point about sql injection. It's really misunderstood and many programmers that I've talked to think that it's a far fetched DBA scare tactic to make them code a little cleaner.

Here's a link to a site devoted to SQL Security. I forgot to post it this morning.

http://www.sqlsecurity.com


JamesH.

Go to Top of Page

rrb
SQLTeam Poet Laureate

Australia
1479 Posts

Posted - 06/05/2002 :  19:16:52  Show Profile  Reply with Quote
quote:
maybe rrb needs to get a hobby without a keyboard.


hobby?? keyboard?? Funny you should mention that to an old muso......OK back to drums it is

PS - Thanks for the links on security. I'd love to see some more security articles oh rob-TWISTED is my middle name-volk

--
I hope that when I die someone will say of me "That guy sure owed me a lot of money"
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 06/05/2002 :  19:24:23  Show Profile  Visit Merkin's Homepage  Reply with Quote
Funny you should mention that. I have a half written one on SQL Injection.

Maybe I should finish that one off.

Damian
Go to Top of Page

KHeon
Posting Yak Master

USA
135 Posts

Posted - 06/06/2002 :  07:22:31  Show Profile  Visit KHeon's Homepage  Reply with Quote
www.sqlsecurity.com is a great site for learning how to better secure your server, even though they provide you tools to "break" into your server as well. :)

Yeah, the company I work for has finally begun to move to SQL Server as our primary website database (for our clients) which makes me very happy (considering I just spent the past year taking SQL Server courses and cramming for my Microsoft Certification) and SQL Injection has been a big thing. We've spent a lot of time reading on how to write better code to stop it.

Thanks!

Kyle Heon
PixelMEDIA, Inc.
Senior Application Programmer, MCP
kheon@pixelmedia.com
Go to Top of Page

JamesH
Posting Yak Master

USA
149 Posts

Posted - 06/06/2002 :  12:05:42  Show Profile  Reply with Quote
See, I'm glad to see that someone has realized what prevents problems like this to begin with.

quote:
We've spent a lot of time reading on how to write better code to stop it


I don't know how many poeple that I've interviewed over the last two years that seem to have never learned the fundamentals, ie how to properly design a database how to write proper code. I can't count the number of times I've heard, "Well, we never built a ER Diagram 'cause we did it as we went along". And I know it's going well when I see that 1000 yard stare when I start grilling them about cardinalities and Database design. Don't get me started with the comments I've gotten when I as for Queries...

JamesH.

Go to Top of Page

aclarke
Posting Yak Master

Canada
133 Posts

Posted - 08/08/2002 :  20:33:32  Show Profile  Visit aclarke's Homepage  Send aclarke an AOL message  Click to see aclarke's MSN Messenger address  Send aclarke a Yahoo! Message  Reply with Quote
Not sure how useful this will be a couple months later, but...

If you really need to store your Credit Card numbers for some reason and really need to use a shared SQL Server host, you can at least encrypt the information into your database. Of course, if your application is on the same server or is hosted with the same company, this won't do you MUCH good, but if you can keep the encryption key separate from the Database Server, encryption is a good step to take.



Edited by - aclarke on 08/08/2002 20:36:48
Go to Top of Page

Tim
Starting Member

Australia
392 Posts

Posted - 08/13/2002 :  02:21:51  Show Profile  Reply with Quote
An alternative is to outsource it. Read the information for businesses at http://www.passport.com - You might even justify the cost by the reduced development you need to do.

I am not pimping for Microsoft, there are probably similar services from other vendors out there.

Besides I am not keen on Microsoft after what they did to Nancy...



----
Nancy Davolio: Best looking chick at Northwind 1992-2000

Edited by - tim on 08/13/2002 02:23:12
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Previous Page
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.08 seconds. Powered By: Snitz Forums 2000