Solved

database security for storing online credit card information

Posted on 2014-09-08
6
303 Views
Last Modified: 2014-09-10
Hi Experts,

I'm gathering some requirements for a new database that will serve for a .NET website that will accept online credit card applications for businesses.  It has been awhile since I've worked with SQL Server and I'm trying get prepared on the what questions I need to address around designing this database?

There will need to be tables setup that keep track of the credit card approval process (all steps during it's approval).
There will need to be the ability to differentiate between new account requests and adding a new cardholder to an existing account.  A different application will be required for both scenarios.
There will need to be the ability to attach large documents.

So, my first question, is what are the ways to secure the database?  I have a concern that if credit card information is going to be stored in a database that it needs to be secure.  What are the different options to secure that type of sensitive financial information?  What is the best approach?

It also seems that instead of storing large files in the database, that strong links to the files stored on the file system would be better and more secure?

I apologize for the general questions, but I'm just trying to get some guidance on what initial questions I should be thinking about in preparation for the actual design (structure) of the database.

Any guidance from a sql server guru would be immensely appreciated!!

Thank you!!
0
Comment
Question by:-Dman100-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 16

Assisted Solution

by:HooKooDooKu
HooKooDooKu earned 100 total points
ID: 40310608
I would think that beyond just the database being secure... you want to add further security such as encrypting the credit card numbers within the database.

That way, even if a hacker got access to the database (such as a SQL injection... which you SHOULD already be protecting yourself from) they still don't have the credit card numbers until they also hack the encryption.
0
 
LVL 40

Assisted Solution

by:Kyle Abrahams
Kyle Abrahams earned 100 total points
ID: 40310638
There are whole standards you need to be aware of:
http://www.pcistandard.com/home-page/
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 100 total points
ID: 40310672
Also you could look at using an API for PCI compliance. It may cost a little bit more, but it could be worth it in the end. Here are a couple that I found, but you should look into them extensively before using any of them,

http://developer.authorize.net/faqs/

http://www.bluepay.com/developers/full-api-documentation

http://support.vendhq.com/hc/en-us/articles/201378980-Integrated-Card-Payments-and-Merchant-Providers

You have to be as secure as possible to protect yourself and the business as well as the customer information. It may save you a future lawsuit if it gets hacked. PCI compliance is very complicated thing to do correctly. The best way to not get PCI data stolen from your database is to not have it stored in your database.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 27

Accepted Solution

by:
planocz earned 200 total points
ID: 40310895
Most of the time you have to go to a third party company that handles ALL the secure side of the credit cards.
They will give you the encrypting code for you to check the card for all the needs that you need (new account, returning customer, credits, subtactions of active account, etc.).
Then all you have to do is setup a SQL db that will keep track of that customer card activity.
By doing this it will remove you (your company) from the liablity side of credit card transactions.
0
 

Author Comment

by:-Dman100-
ID: 40311068
Thanks for everyone's input.  Using a third party company to handle all the security sounds like the safest option.  How does that exactly work?  For example, do they only maintain the card information and I would store some key in the SQL Database that would return all the credit card information for a specific account?  What is involved in linking the SQL Server database to a third party company?

Thanks for all the responses and help!
Regards.
0
 
LVL 27

Assisted Solution

by:planocz
planocz earned 200 total points
ID: 40312027
Yes they will send you a key per transaction. You are the only one that controls your sql db.
You basically keep track of each customer with their transactions and keys.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
connection to SQL 2012 error in windows 10 18 49
Load Fact table in SQL Server SSIS package 14 47
how to resize column length with primary ket 4 34
sql trace 4 30
Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question