Link to home
Start Free TrialLog in
Avatar of mit1290
mit1290

asked on

Storing credit card information

I have a client that is thinking about storing credit card information of users so they can come back and place new orders without having to type in all their information again. What is the best practice (most secure) to store this information?
Avatar of kruptos
kruptos

Is this for a Web based application?
Internal Database?
Are you thining of storing them in Quickbooks?

Please let me know so I can help :-)

-Kruptos
Avatar of mit1290

ASKER

This is for a web application (PHP/MSSQL)
First and foremost make sure that all the data is not directly exposed to the internet. If you can you should host the MSSQL on a seperate machine then the Website front end. Apply access rules to a firewall to limit the access to the SQL database.

Make sure that all Operating Systems, SQL and PHP software is up to date with the latest patches.

One of the largest forms of attack against databases for Web applications that leads to compromise is SQL Injection. Read this article to give you an idea of how it is conducted and how to protect against it.

http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.unixwiz.net/techtips/sql-injection.html

A large part of exploits today are not just application flaws, but also configuration errors. You would be suprised at how many times a simple checkbox can open a website wide open to attackers.

Let me know if you need some more help!

-Kruptos


Avatar of mit1290

ASKER

What about the actual storage of the data? hashing/public private keys/ etc.
ASKER CERTIFIED SOLUTION
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Doing this is a Big Deal since you need to comply with the Payment Card Industry (PCI) Data Security Standard, which requres third party security reviews, certain types of training, certain types of testing, etc., etc., etc. (google for more info)

Much better to use a third party as ruchrumble suggests.