Credit Card Details

Credit Card Details
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Credit Card Details Griff 12-20-2007
|--> Re: Credit Card Details Roger Abell [MV...12-21-2007
`--> Re: Credit Card Details Anne & Lynn Whe...12-26-2007
Posted by Griff on December 20, 2007, 7:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
If sensitive information (such as a credit card) has to be saved to a
database then there is a duty of care to protect this information.

If the data is saved in plain text, then there is a concern that a hacker
gaining access to the server will therefore gain access to the credit card
data.

One option is therefore to encrypt it. This means that the data is stored
on the server in an encrypted format. However, at some stage, the software
will legitimately need to decrypt the data in order to use this information.
To achieve this, it has to have access to the key to decrypt the
information. If the software has access to this decryption key then surely
so will any hacker. It would be equivalent to buying a secure safe and
hanging the keys next to it.

There must be a more secure implementation - could someone describe it>

Many thanks

Griff



Posted by on December 20, 2007, 7:37 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello Griff,

You may want to spend time researching the Payment Card Industry (PCI)
Data Security Standard. This lays out in detail the best practices for
handling credit card information.

My advice is to not store the credit card at all. Process the
transaction and then flush the card information after confirmation. If
you abosolutely must keep the data, consider encrypting it at the
database level. This incurs a performance penalty but is likely the
most straight forward implementation.

Regards,

J Wolfgang Goerlich

Related Links:

Payment Card Industry Data Security Standard Compliance Planning Guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=D8320DF1-D0D0-469F-A6FC-B53987BD74C2&displaylang=en

Implementing Row- and Cell-Level Security in Classified Databases
Using SQL Server 2005
http://www.microsoft.com/technet/prodtechnol/sql/2005/multisec.mspx


> If sensitive information (such as a credit card) has to be saved to a
> database then there is a duty of care to protect this information.
>
> If the data is saved in plain text, then there is a concern that a hacker
> gaining access to the server will therefore gain access to the credit card
> data.
>
> One option is therefore to encrypt it. This means that the data is stored
> on the server in an encrypted format. However, at some stage, the software
> will legitimately need to decrypt the data in order to use this information.
> To achieve this, it has to have access to the key to decrypt the
> information. If the software has access to this decryption key then surely
> so will any hacker. It would be equivalent to buying a secure safe and
> hanging the keys next to it.
>
> There must be a more secure implementation - could someone describe it>
>
> Many thanks
>
> Griff


Posted by =?Utf-8?B?Um9uIEg=?= on December 20, 2007, 9:13 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi, I would like to know more on what you mean by :Flush the card
information after confirmation. If i've made purchases using a card #
where would that number be hiding on my computer. Thank You Ron

"jwgoerlich@gmail.com" wrote:

> Hello Griff,
>
> You may want to spend time researching the Payment Card Industry (PCI)
> Data Security Standard. This lays out in detail the best practices for
> handling credit card information.
>
> My advice is to not store the credit card at all. Process the
> transaction and then flush the card information after confirmation. If
> you abosolutely must keep the data, consider encrypting it at the
> database level. This incurs a performance penalty but is likely the
> most straight forward implementation.
>
> Regards,
>
> J Wolfgang Goerlich
>
> Related Links:
>
> Payment Card Industry Data Security Standard Compliance Planning Guide
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=D8320DF1-D0D0-469F-A6FC-B53987BD74C2&displaylang=en
>
> Implementing Row- and Cell-Level Security in Classified Databases
> Using SQL Server 2005
> http://www.microsoft.com/technet/prodtechnol/sql/2005/multisec.mspx
>
>
> > If sensitive information (such as a credit card) has to be saved to a
> > database then there is a duty of care to protect this information.
> >
> > If the data is saved in plain text, then there is a concern that a hacker
> > gaining access to the server will therefore gain access to the credit card
> > data.
> >
> > One option is therefore to encrypt it. This means that the data is stored
> > on the server in an encrypted format. However, at some stage, the software
> > will legitimately need to decrypt the data in order to use this information.
> > To achieve this, it has to have access to the key to decrypt the
> > information. If the software has access to this decryption key then surely
> > so will any hacker. It would be equivalent to buying a secure safe and
> > hanging the keys next to it.
> >
> > There must be a more secure implementation - could someone describe it>
> >
> > Many thanks
> >
> > Griff
>
>

Posted by on December 20, 2007, 10:01 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello Ron,

I mean flushing the information on the ecommerce web and database
servers. This is not on your own computer.

Some companies, like Amazon.com, store the credit card information and
keep it on file after your purchase. This is a concern because, should
the data fall into the wrong hands, the credit card numbers could be
misused.

Other companies, like Solarbotics, do not store the credit card
information. They process the transaction and flush all identifying
information. Should the information fall into the wrong hands, there
is nothing to outright misuse. More companies should operate like
Solarbotics, in my opinion.

Consumers have control over this insofar as spending their money with
companies with stringent security and privacy guidelines.

J Wolfgang Goerlich


Solarbotics
http://www.solarbotics.com/info/privacy-policy/

> Hi, I would like to know more on what you mean by :Flush the card
> information after confirmation. If i've made purchases using a card #
> where would that number be hiding on my computer. Thank You Ron

Posted by =?Utf-8?B?Um9uIEg=?= on December 20, 2007, 10:18 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Mr, Goerlich, Thanks for the come back. Your always very informative,
I've read many posts. Enjoy your Hollidays. Ron

"jwgoerlich@gmail.com" wrote:

> Hello Ron,
>
> I mean flushing the information on the ecommerce web and database
> servers. This is not on your own computer.
>
> Some companies, like Amazon.com, store the credit card information and
> keep it on file after your purchase. This is a concern because, should
> the data fall into the wrong hands, the credit card numbers could be
> misused.
>
> Other companies, like Solarbotics, do not store the credit card
> information. They process the transaction and flush all identifying
> information. Should the information fall into the wrong hands, there
> is nothing to outright misuse. More companies should operate like
> Solarbotics, in my opinion.
>
> Consumers have control over this insofar as spending their money with
> companies with stringent security and privacy guidelines.
>
> J Wolfgang Goerlich
>
>
> Solarbotics
> http://www.solarbotics.com/info/privacy-policy/
>
> > Hi, I would like to know more on what you mean by :Flush the card
> > information after confirmation. If i've made purchases using a card #
> > where would that number be hiding on my computer. Thank You Ron
>

Similar ThreadsPosted
RE: Encryption of Credit Card files January 16, 2006, 2:52 pm
Passwords and Credit card numbers kept on computer? October 19, 2006, 12:35 pm
Re: How to Protect Your Credit or Debit Card and Account Number ??? May 17, 2008, 4:31 pm
setting logon details August 18, 2006, 3:49 am
Smart Card Login + Certificate Login to AD -> Lost smart card December 15, 2005, 10:03 pm
Smart Card Login + Certificate Login to AD -> Lost smart card December 15, 2005, 10:41 pm
Smart Card Logon July 20, 2006, 2:39 am
Smart Card - two readers December 8, 2006, 8:16 am
Look at the contents of a smart card? April 24, 2007, 12:04 pm
CRL caching and smart card logon November 28, 2005, 3:08 pm

The site map in XML format XML site map

Contact Us | Privacy Policy