Welcome Guest, Not a member yet? Register   Sign In
Credit Card Storage
#1

[eluser]PV-Patrick[/eluser]
I was wondering if anyone had any suggestions on how to store CC information with CI. What is an acceptable/secure way of storing this data? Is the encryption key method, stored above web root sufficient?
#2

[eluser]Pascal Kriete[/eluser]
The ideal solution is - don't if you can avoid it.

If that isn't an option, store it on a separate server. You shouldn't store it on the webserver, and none of it should ever go over a non-encrypted connection. SSL is a must. The PCI also outlines a few rules for handling CC information, found here.

Basically, you want an encrypted connection to a non-web-accessible server (as well as an encrypted http connection). The stored data should be encrypted using a 128-bit cypher. And obviously, that server should have all the latest patches and security upgrades.

[EDIT: I knew I had seen it on some blog, here is how 37s do it]
#3

[eluser]PV-Patrick[/eluser]
Let's say the setup is as follows:
SSL Connection at all times
CC #/data is stored in a DB table, encrypted via the encrypt method in CI
encryption key is stored in the config file that is above the web root

What other items should be addressed/done besides the given of securing your machine as much as possible via updates, etc?
#4

[eluser]passenger[/eluser]
1) You should NEVER store credit card information on a shared web server. No matter how secure you think your encryption is.

2) Assuming you are not doing the above, but have a web server hosted in your own data centre, then you store credit card information on a server, behind your firewall, on your internal network. The webserver should write the credit card information, encrypted into a database or well-known non-public filesystem (above your web root), and then a seperate process, running from behind your firewall every few seconds should pick that information up, store it locally, then delete it. Note that the information is pulled onto the internal network, and never pushed - your webserver processes should not have access to the internal network.

You can achieve this in many ways - one is to use a SAN disk that is writeable by the web server, but exists within the internal network

That's the bare bones of how I have achieved this in the past.
#5

[eluser]Eric Cope[/eluser]
While I strongly recommend not storing credit card information anywhere, unless you are willing and able to reimburse your clients for fraudulent charges.
If you use encryption to store data, look into http://world.std.com/~reinhold/diceware.html
to generate truly random long (10-15 words) passphrases.
#6

[eluser]PV-Patrick[/eluser]
Thanks for the responses... After much research and responses I feel that just leaving that part up to the processor is the smart choice. They can handle it...




Theme © iAndrew 2016 - Forum software by © MyBB