Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

database security for storing online credit card information

Posted on 2014-09-08
6
Medium Priority
?
321 Views
Last Modified: 2014-09-10
Hi Experts,

I'm gathering some requirements for a new database that will serve for a .NET website that will accept online credit card applications for businesses.  It has been awhile since I've worked with SQL Server and I'm trying get prepared on the what questions I need to address around designing this database?

There will need to be tables setup that keep track of the credit card approval process (all steps during it's approval).
There will need to be the ability to differentiate between new account requests and adding a new cardholder to an existing account.  A different application will be required for both scenarios.
There will need to be the ability to attach large documents.

So, my first question, is what are the ways to secure the database?  I have a concern that if credit card information is going to be stored in a database that it needs to be secure.  What are the different options to secure that type of sensitive financial information?  What is the best approach?

It also seems that instead of storing large files in the database, that strong links to the files stored on the file system would be better and more secure?

I apologize for the general questions, but I'm just trying to get some guidance on what initial questions I should be thinking about in preparation for the actual design (structure) of the database.

Any guidance from a sql server guru would be immensely appreciated!!

Thank you!!
0
Comment
Question by:-Dman100-
6 Comments
 
LVL 16

Assisted Solution

by:HooKooDooKu
HooKooDooKu earned 400 total points
ID: 40310608
I would think that beyond just the database being secure... you want to add further security such as encrypting the credit card numbers within the database.

That way, even if a hacker got access to the database (such as a SQL injection... which you SHOULD already be protecting yourself from) they still don't have the credit card numbers until they also hack the encryption.
0
 
LVL 41

Assisted Solution

by:Kyle Abrahams
Kyle Abrahams earned 400 total points
ID: 40310638
There are whole standards you need to be aware of:
http://www.pcistandard.com/home-page/
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 400 total points
ID: 40310672
Also you could look at using an API for PCI compliance. It may cost a little bit more, but it could be worth it in the end. Here are a couple that I found, but you should look into them extensively before using any of them,

http://developer.authorize.net/faqs/

http://www.bluepay.com/developers/full-api-documentation

http://support.vendhq.com/hc/en-us/articles/201378980-Integrated-Card-Payments-and-Merchant-Providers

You have to be as secure as possible to protect yourself and the business as well as the customer information. It may save you a future lawsuit if it gets hacked. PCI compliance is very complicated thing to do correctly. The best way to not get PCI data stolen from your database is to not have it stored in your database.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 27

Accepted Solution

by:
planocz earned 800 total points
ID: 40310895
Most of the time you have to go to a third party company that handles ALL the secure side of the credit cards.
They will give you the encrypting code for you to check the card for all the needs that you need (new account, returning customer, credits, subtactions of active account, etc.).
Then all you have to do is setup a SQL db that will keep track of that customer card activity.
By doing this it will remove you (your company) from the liablity side of credit card transactions.
0
 

Author Comment

by:-Dman100-
ID: 40311068
Thanks for everyone's input.  Using a third party company to handle all the security sounds like the safest option.  How does that exactly work?  For example, do they only maintain the card information and I would store some key in the SQL Database that would return all the credit card information for a specific account?  What is involved in linking the SQL Server database to a third party company?

Thanks for all the responses and help!
Regards.
0
 
LVL 27

Assisted Solution

by:planocz
planocz earned 800 total points
ID: 40312027
Yes they will send you a key per transaction. You are the only one that controls your sql db.
You basically keep track of each customer with their transactions and keys.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question