Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

database security for storing online credit card information

Posted on 2014-09-08
6
Medium Priority
?
318 Views
Last Modified: 2014-09-10
Hi Experts,

I'm gathering some requirements for a new database that will serve for a .NET website that will accept online credit card applications for businesses.  It has been awhile since I've worked with SQL Server and I'm trying get prepared on the what questions I need to address around designing this database?

There will need to be tables setup that keep track of the credit card approval process (all steps during it's approval).
There will need to be the ability to differentiate between new account requests and adding a new cardholder to an existing account.  A different application will be required for both scenarios.
There will need to be the ability to attach large documents.

So, my first question, is what are the ways to secure the database?  I have a concern that if credit card information is going to be stored in a database that it needs to be secure.  What are the different options to secure that type of sensitive financial information?  What is the best approach?

It also seems that instead of storing large files in the database, that strong links to the files stored on the file system would be better and more secure?

I apologize for the general questions, but I'm just trying to get some guidance on what initial questions I should be thinking about in preparation for the actual design (structure) of the database.

Any guidance from a sql server guru would be immensely appreciated!!

Thank you!!
0
Comment
Question by:-Dman100-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 16

Assisted Solution

by:HooKooDooKu
HooKooDooKu earned 400 total points
ID: 40310608
I would think that beyond just the database being secure... you want to add further security such as encrypting the credit card numbers within the database.

That way, even if a hacker got access to the database (such as a SQL injection... which you SHOULD already be protecting yourself from) they still don't have the credit card numbers until they also hack the encryption.
0
 
LVL 40

Assisted Solution

by:Kyle Abrahams
Kyle Abrahams earned 400 total points
ID: 40310638
There are whole standards you need to be aware of:
http://www.pcistandard.com/home-page/
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 400 total points
ID: 40310672
Also you could look at using an API for PCI compliance. It may cost a little bit more, but it could be worth it in the end. Here are a couple that I found, but you should look into them extensively before using any of them,

http://developer.authorize.net/faqs/

http://www.bluepay.com/developers/full-api-documentation

http://support.vendhq.com/hc/en-us/articles/201378980-Integrated-Card-Payments-and-Merchant-Providers

You have to be as secure as possible to protect yourself and the business as well as the customer information. It may save you a future lawsuit if it gets hacked. PCI compliance is very complicated thing to do correctly. The best way to not get PCI data stolen from your database is to not have it stored in your database.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 27

Accepted Solution

by:
planocz earned 800 total points
ID: 40310895
Most of the time you have to go to a third party company that handles ALL the secure side of the credit cards.
They will give you the encrypting code for you to check the card for all the needs that you need (new account, returning customer, credits, subtactions of active account, etc.).
Then all you have to do is setup a SQL db that will keep track of that customer card activity.
By doing this it will remove you (your company) from the liablity side of credit card transactions.
0
 

Author Comment

by:-Dman100-
ID: 40311068
Thanks for everyone's input.  Using a third party company to handle all the security sounds like the safest option.  How does that exactly work?  For example, do they only maintain the card information and I would store some key in the SQL Database that would return all the credit card information for a specific account?  What is involved in linking the SQL Server database to a third party company?

Thanks for all the responses and help!
Regards.
0
 
LVL 27

Assisted Solution

by:planocz
planocz earned 800 total points
ID: 40312027
Yes they will send you a key per transaction. You are the only one that controls your sql db.
You basically keep track of each customer with their transactions and keys.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question