> Hey I was wondering what you all were doing as far as security
> with the CC numbers in the database? A friend of mine's mysql
> database was hacked into (I don't know all the details of how, etc
> but luckily there were not CC numbers in there) so now I'm getting
> worried....
If you are plugging into CyberCash, Signio or something like them,
then you don't really need to save the credit card number at all.
So, just get rid of the code that saves it.
If you are validating cards later, perhaps through a fulfillment
house, then you probably need to keep the credit card around in
some form. You could encrypt the numbers, and you definitely
should encrypt all the data flowing out of the Web site. This
could mean using pgp on a data file, or you using "scp" to
transfer.
Here's an interesting thing to think about, though. Imagine
encrypting the credit cards themselves before you place them in
the database. You might think that this is safer because even if
someone got your database, they wouldn't have the cards. But if you
have configured your database correctly, you've set it up to
disallow connections from outside machines. In that case, the only
way for someone to get at the database is by logging into the machine.
If you can log into the machine, there's a good chance you can
intercept the credit cards.
This is just a fancy way to say that your security is only as good
as it's weakest link. In this case, it's the root password. This is
assuming you haven't made any terrible mistakes, like allowing anyone
to log into your database server, or placing invoice info in htdocs.
Leon
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Site: http://www.working-dogs.com/freetrade/
Problems?: [EMAIL PROTECTED]
