database design questions

I'm working on designing a new database for a web application that accepts online credit card applications from businesses.  I have put together the following series of questions during the design phase:

•Do you have any Regulatory requirements for data access and storage (Sarbanes-Oxley and HIPAA come to mind)?
•Do you need to be able to audit record changes?
•What internal controls do you need reflected in the database?
•What business rules must be followed under what circumstances?
•How large to you expect the data to get?
•How flexible do you want the system to be (do you want to be able to add columns on the fly? OR add business rules)?
•Do you need a separate data warehouse for reporting?
•How do you need the data populated? Will it come from an application, multiple applications, data imports or a combination?
•What databases do you currently have license for? Already know this one...Sql Server 2012.
•Will different groups of users need different accesses?
•How is the process currently being handled?  I believe the current process is handled manually.
•Do you need to migrate data from the old system?  Also, I believe the answer is no for this one?

I was interested in any additional feedback on other questions I should consider?

Thanks in advance for any help!
Regards.
-Dman100-Software ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
PCI (Payment Card Industry) standards since you're dealing with credit card related data.  https://www.pcisecuritystandards.org/
0
Racim BOUDJAKDJIDatabase Architect - Dba - Data ScientistCommented:
•Do you have any Regulatory requirements for data access and storage (Sarbanes-Oxley and HIPAA come to mind)?
See above.  Confidentiality must be insured at database level.


•Do you need to be able to audit record changes?
Yes

•What internal controls do you need reflected in the database?
Generally, the ones concerning privacy, confidentiality and showing that you have control over credit.

•What business rules must be followed under what circumstances?
See above.

•How large to you expect the data to get?
Depends on the amount of people using the system.

•How flexible do you want the system to be (do you want to be able to add columns on the fly? OR add business rules)?
Design a proper database.  Do not *ever* create tables and columns on the fly.  Declarative constraints with proper error management is the key.

•Do you need a separate data warehouse for reporting?
No.

•How do you need the data populated? Will it come from an application, multiple applications, data imports or a combination?
A database is supposed to take input/give output from any application.

•What databases do you currently have license for? Already know this one...Sql Server 2012.
Yes make sure you are not breaking the law.

•Will different groups of users need different accesses?
As little as possible.  Even on reading data.  

•How is the process currently being handled?  I believe the current process is handled manually.
Is there a point comparing an absence of security/process to something structured.  Build a secure process to get in agreement with the law.  The current process is probably illegal.

•Do you need to migrate data from the old system?  Also, I believe the answer is no for this one?
Actually, the answer is yes.  

Security Auditors will look for consistency onto the handling of privacy.  If they realize that some customers do not have the same level of security than others, you are exposing for punishment.
0
Scott PletcherSenior DBACommented:
The questions below have either nothing to do with logical database design or only tangentially relevant to it.  If you're just doing a design, ignore non-design qs until such time as they become relevant:

"
How large do you expect the data to get?
How do you need the data populated? Will it come from an application, multiple applications, data imports or a combination?
What databases do you currently have license for?
How is the process currently being handled?  I believe the current process is handled manually.
Do you need to migrate data from the old system?  Also, I believe the answer is no for this one?
"
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.