Avatar of mit1290
mit1290
 asked on

Storing credit card information

I have a client that is thinking about storing credit card information of users so they can come back and place new orders without having to type in all their information again. What is the best practice (most secure) to store this information?
E-CommerceSecurity

Avatar of undefined
Last Comment
chris_calabrese

8/22/2022 - Mon
kruptos

Is this for a Web based application?
Internal Database?
Are you thining of storing them in Quickbooks?

Please let me know so I can help :-)

-Kruptos
mit1290

ASKER
This is for a web application (PHP/MSSQL)
kruptos

First and foremost make sure that all the data is not directly exposed to the internet. If you can you should host the MSSQL on a seperate machine then the Website front end. Apply access rules to a firewall to limit the access to the SQL database.

Make sure that all Operating Systems, SQL and PHP software is up to date with the latest patches.

One of the largest forms of attack against databases for Web applications that leads to compromise is SQL Injection. Read this article to give you an idea of how it is conducted and how to protect against it.

http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.unixwiz.net/techtips/sql-injection.html

A large part of exploits today are not just application flaws, but also configuration errors. You would be suprised at how many times a simple checkbox can open a website wide open to attackers.

Let me know if you need some more help!

-Kruptos


All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
mit1290

ASKER
What about the actual storage of the data? hashing/public private keys/ etc.
ASKER CERTIFIED SOLUTION
Rich Rumble

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
chris_calabrese

Doing this is a Big Deal since you need to comply with the Payment Card Industry (PCI) Data Security Standard, which requres third party security reviews, certain types of training, certain types of testing, etc., etc., etc. (google for more info)

Much better to use a third party as ruchrumble suggests.