Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 335
  • Last Modified:

Data Dumping

WIth all the well publicised data losses that you hear about in the news, was just looking at UK government losses http://en.wikipedia.org/wiki/List_of_UK_government_data_losses it strikes me that should users be allowed to dump mass extract of senstivie data. Now we aint public sector, but some data we store would be pretty damn sought after by criminals, what I am after are some practical controls security controls that could be used to mitigate what users can actually extract from the System and take away on USB or CD to the criminal who just bunged the part time student who doesnt give a care in the world about the org $250 to do so. Do you limit what extracts users can actually perform, i.e. 1 record aint gonna be massively sought after by criminals, but if they could extract 10'000 records of credit card details then this is a risk in itself isnt it. WHat is a practical way to control this, what do you do on your apps / DB to control this
0
pma111
Asked:
pma111
  • 5
  • 4
1 Solution
 
Kelvin_KingCommented:
You should read this article on data loss prevention:
http://securosis.com/publications/DLP-Whitepaper.pdf

There are also many commercial DLP products out there. Can have a look at RSA or McAfee

http://www.rsa.com/node.aspx?id=3426
http://www.mcafee.com/us/enterprise/products/data_loss_prevention/index.html
0
 
aleghartCommented:
My experience with CC trx is small.  Maybe a few dozen numbers at any one time.  Even repeat numbers are submitted via compliant software or online portal...they are re-submitted via a backend trx hash that does not include the number itself.

So, I have to ask, why does anyone store credit card data that can be used instantly by thieves?  I still wonder why admins at TJX were storing that data.  

Was it an "accident" due to negligence or ignorance?  Was somebody saving the data for mining purposes?

Why do you store card data above and beyond the transaction reference?  (Serious question.  I have a new project coming up that requires more CC trx handling.)
0
 
pma111Author Commented:
I actually wasnt on about CC data to be fair "but some data we store would be pretty damn sought after by criminals". But useful insight all the same as sensitive data is sensitive data
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
pma111Author Commented:
> My experience with CC trx is small.  Maybe a few dozen numbers at any one time.  Even repeat numbers are submitted via compliant software or online portal...they are re-submitted via a backend trx hash that does not include the number itself.

Do you have any documentation that shows this process? Or useful links?

I am also interested in the below, are there any good papers online that discuss factors as to why people do / dont retain CC data

>>Why do you store card data above and beyond the transaction reference?  (Serious question.  I have a new project coming up that requires more CC trx handling.)
0
 
aleghartCommented:
>Do you have any documentation that shows this process? Or useful links?

http://activemerchant.rubyforge.org/classes/ActiveMerchant/Billing/AuthorizeNetGateway.html#

Shows that initial request for automated recurring billing (ARB) is sent with the amount, interval, and duration.

Changes do not require storage of the CC data.  You'll send a hash which includes an identifier for the 'subscription'.  Changes are submitted, not the CC data.

So, no reason to store that CC data for membership type services.

That's the way Authorize.net explained it to me over the phone.

Does that help?
0
 
pma111Author Commented:
yes much appreciated
0
 
pma111Author Commented:
Algehart, out of interest, you mention membership type services dont require the CC data to be stored in the DB, out of interest, are there any CC type transactions where the CC data must be stored, i.e. one off payments etc? If so could you detail these as I am just interested more than anything...
0
 
aleghartCommented:
@pma111,

No transactions that I know of...but my experience is near zero for ecommerce.

Some customers will request storage of CC data, such as small business owner or authorized buyer with company card.  That way, future payments can be made with the same info.  Useful when the cardholder is not present..."card not present" still requires the data off the card.

I've never stored this in an online manner.  Like I said, small number of transactions, and processed via online virtual terminal, traditional card swipe terminal, or with card processing software (terminal type, not online cart).

0
 
pma111Author Commented:
Here is a novice question then. When I login to Paypal to make a payment, that has my card data ready, all be it all but the last 4 numbers of the CC are hashed out. Is this data stored? i.e. the full CC number?
0
 
aleghartCommented:
I'm sure it is stored, same as your bank account number (if you've authenticated this way).

I'm also trying to learn about maintaining user accounts.  Like I said, I've not had experience with consumer transactions.  The only CC transactions I've handled are large one-time or B2B, and not in any volume.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now