[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

database security for storing online credit card information

Posted on 2014-09-08
6
Medium Priority
?
325 Views
Last Modified: 2014-09-10
Hi Experts,

I'm gathering some requirements for a new database that will serve for a .NET website that will accept online credit card applications for businesses.  It has been awhile since I've worked with SQL Server and I'm trying get prepared on the what questions I need to address around designing this database?

There will need to be tables setup that keep track of the credit card approval process (all steps during it's approval).
There will need to be the ability to differentiate between new account requests and adding a new cardholder to an existing account.  A different application will be required for both scenarios.
There will need to be the ability to attach large documents.

So, my first question, is what are the ways to secure the database?  I have a concern that if credit card information is going to be stored in a database that it needs to be secure.  What are the different options to secure that type of sensitive financial information?  What is the best approach?

It also seems that instead of storing large files in the database, that strong links to the files stored on the file system would be better and more secure?

I apologize for the general questions, but I'm just trying to get some guidance on what initial questions I should be thinking about in preparation for the actual design (structure) of the database.

Any guidance from a sql server guru would be immensely appreciated!!

Thank you!!
0
Comment
Question by:-Dman100-
6 Comments
 
LVL 16

Assisted Solution

by:HooKooDooKu
HooKooDooKu earned 400 total points
ID: 40310608
I would think that beyond just the database being secure... you want to add further security such as encrypting the credit card numbers within the database.

That way, even if a hacker got access to the database (such as a SQL injection... which you SHOULD already be protecting yourself from) they still don't have the credit card numbers until they also hack the encryption.
0
 
LVL 41

Assisted Solution

by:Kyle Abrahams
Kyle Abrahams earned 400 total points
ID: 40310638
There are whole standards you need to be aware of:
http://www.pcistandard.com/home-page/
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 400 total points
ID: 40310672
Also you could look at using an API for PCI compliance. It may cost a little bit more, but it could be worth it in the end. Here are a couple that I found, but you should look into them extensively before using any of them,

http://developer.authorize.net/faqs/

http://www.bluepay.com/developers/full-api-documentation

http://support.vendhq.com/hc/en-us/articles/201378980-Integrated-Card-Payments-and-Merchant-Providers

You have to be as secure as possible to protect yourself and the business as well as the customer information. It may save you a future lawsuit if it gets hacked. PCI compliance is very complicated thing to do correctly. The best way to not get PCI data stolen from your database is to not have it stored in your database.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 27

Accepted Solution

by:
planocz earned 800 total points
ID: 40310895
Most of the time you have to go to a third party company that handles ALL the secure side of the credit cards.
They will give you the encrypting code for you to check the card for all the needs that you need (new account, returning customer, credits, subtactions of active account, etc.).
Then all you have to do is setup a SQL db that will keep track of that customer card activity.
By doing this it will remove you (your company) from the liablity side of credit card transactions.
0
 

Author Comment

by:-Dman100-
ID: 40311068
Thanks for everyone's input.  Using a third party company to handle all the security sounds like the safest option.  How does that exactly work?  For example, do they only maintain the card information and I would store some key in the SQL Database that would return all the credit card information for a specific account?  What is involved in linking the SQL Server database to a third party company?

Thanks for all the responses and help!
Regards.
0
 
LVL 27

Assisted Solution

by:planocz
planocz earned 800 total points
ID: 40312027
Yes they will send you a key per transaction. You are the only one that controls your sql db.
You basically keep track of each customer with their transactions and keys.
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
This shares a stored procedure to retrieve permissions for a given user on the current database or across all databases on a server.
SQL Database Recovery Software repairs the MDF & NDF Files, corrupted due to hardware related issues or software related errors. Provides preview of recovered database objects and allows saving in either MSSQL, CSV, HTML or XLS format. Ensures recov…
Stellar Phoenix SQL Database Repair software easily fixes the suspect mode issue of SQL Server database. It is a simple process to bring the database from suspect mode to normal mode. Check out the video and fix the SQL database suspect mode problem.

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question