We've been reviewing our PCI compliance and I am trying to make sure my bases are covered. I'm wondering if there are any gaps in the security for my custom application.
I have an ecommerce website that stores information, including credit cards to a SQL Server Database. The website and ordering process is secured by an SSL certificate. The credit card info is transmitted and stored encrypted using MD5. (We process credit cards offline)
My VB.NET appcliation downloads order information, including the encrypted credit card info and generates a QuickBooks invoice.
In the program, I've stored the keys for decrypting the card info. I run a sub procedure, decrypt the card and using QODBC (an ODBC driver for quickbooks), I write the information to an invoice (or customer file).
My connection string for SQL server looks something like this: User ID=myuser;Password=mypassword;Initial Catalog = mydb; Data Source = sql2k2.mydataserver.com;"
I connect to the server using SQL Connection (System.Data.SqlClient) in VB.NET. Is this secure?
I can't think of a way that someone could hack an .exe file and read an SQL Query - or the encrypted Credit Card Number. And even if they could, I don't know how they could hack the .exe to grab the MD5 keys that are stored in a module.
Then again, I'm not a hacker.
So I know there might not be enough information here for you to provide a concrete answer, but from my description, does it appear that this system should be safe?