Solved

database security for storing online credit card information

Posted on 2014-09-08
6
309 Views
Last Modified: 2014-09-10
Hi Experts,

I'm gathering some requirements for a new database that will serve for a .NET website that will accept online credit card applications for businesses.  It has been awhile since I've worked with SQL Server and I'm trying get prepared on the what questions I need to address around designing this database?

There will need to be tables setup that keep track of the credit card approval process (all steps during it's approval).
There will need to be the ability to differentiate between new account requests and adding a new cardholder to an existing account.  A different application will be required for both scenarios.
There will need to be the ability to attach large documents.

So, my first question, is what are the ways to secure the database?  I have a concern that if credit card information is going to be stored in a database that it needs to be secure.  What are the different options to secure that type of sensitive financial information?  What is the best approach?

It also seems that instead of storing large files in the database, that strong links to the files stored on the file system would be better and more secure?

I apologize for the general questions, but I'm just trying to get some guidance on what initial questions I should be thinking about in preparation for the actual design (structure) of the database.

Any guidance from a sql server guru would be immensely appreciated!!

Thank you!!
0
Comment
Question by:-Dman100-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 16

Assisted Solution

by:HooKooDooKu
HooKooDooKu earned 100 total points
ID: 40310608
I would think that beyond just the database being secure... you want to add further security such as encrypting the credit card numbers within the database.

That way, even if a hacker got access to the database (such as a SQL injection... which you SHOULD already be protecting yourself from) they still don't have the credit card numbers until they also hack the encryption.
0
 
LVL 40

Assisted Solution

by:Kyle Abrahams
Kyle Abrahams earned 100 total points
ID: 40310638
There are whole standards you need to be aware of:
http://www.pcistandard.com/home-page/
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 100 total points
ID: 40310672
Also you could look at using an API for PCI compliance. It may cost a little bit more, but it could be worth it in the end. Here are a couple that I found, but you should look into them extensively before using any of them,

http://developer.authorize.net/faqs/

http://www.bluepay.com/developers/full-api-documentation

http://support.vendhq.com/hc/en-us/articles/201378980-Integrated-Card-Payments-and-Merchant-Providers

You have to be as secure as possible to protect yourself and the business as well as the customer information. It may save you a future lawsuit if it gets hacked. PCI compliance is very complicated thing to do correctly. The best way to not get PCI data stolen from your database is to not have it stored in your database.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 27

Accepted Solution

by:
planocz earned 200 total points
ID: 40310895
Most of the time you have to go to a third party company that handles ALL the secure side of the credit cards.
They will give you the encrypting code for you to check the card for all the needs that you need (new account, returning customer, credits, subtactions of active account, etc.).
Then all you have to do is setup a SQL db that will keep track of that customer card activity.
By doing this it will remove you (your company) from the liablity side of credit card transactions.
0
 

Author Comment

by:-Dman100-
ID: 40311068
Thanks for everyone's input.  Using a third party company to handle all the security sounds like the safest option.  How does that exactly work?  For example, do they only maintain the card information and I would store some key in the SQL Database that would return all the credit card information for a specific account?  What is involved in linking the SQL Server database to a third party company?

Thanks for all the responses and help!
Regards.
0
 
LVL 27

Assisted Solution

by:planocz
planocz earned 200 total points
ID: 40312027
Yes they will send you a key per transaction. You are the only one that controls your sql db.
You basically keep track of each customer with their transactions and keys.
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question