Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
albertkohl
Aged Yak Warrior
740 Posts |
 Posted - 2011-10-16 : 19:25:48
|
| okay, i have a client that wants to set up a capture page for order-entry. the fun part comes when they start wanting to accept credit cards, and "express" checks (credit and check info). basically what i was thinking is they can enter into the web-form, web form stores data to a database, and then i have a job that ships them cc/ck info daily for batching though their merchant.i've read this doc: [url]http://www.google.com/url?sa=t&source=web&cd=1&ved=0CDwQFjAA&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F4%2F7%2Fa%2F47a548b9-249e-484c-abd7-29f31282b04d%2FSQLEncryption.doc&rct=j&q=mssql%20encrypt%20sensitive%20data&ei=kjibTse5Mu-ksQLqq921BA&usg=AFQjCNHkAVvzLfb_qaOaqJxvVNiQCqDcHg[/url]and it covers how to encypt, and decrypt the data, i've got it to work,but here's my question for all you guru's out there. how can i set this up so that if my server is compromised, the data is still protected?if the encryption, and decryption is all on the same database server, then i really cant, can i?any ideas?can i maybe encrypt it in the server, and the send it to them, and they can decrypt it? if so, do they need an sql server to decrypt it? or is there more of a user-friendly way to decrypt the file? also, if anyone has any pointers on where i can find out what all has to be encrypted, that'll be cool. i.e. can i only encrypt cc/check info? or do i have to encrypt more than that.Thanks in advace, you guys always rock :) |
|
|
albertkohl
Aged Yak Warrior
740 Posts |
Posted - 2011-10-16 : 19:31:35
|
| wow... cant even spell... encryption |
 |
|
|
Kristen
Test
22859 Posts |
Posted - 2011-10-17 : 07:54:15
|
| "web form stores data to a database"For Credit Card details that may violate the merchant agreement (encrypted or not ...). I don't know the full details, but I know we get clients to sign very strict indemnity agreements when they insist on this, and even then our powers-that-be crawl all over everything to make sure there is no leakage; in fact I doubt a new client would be able to persuade our management to allow credit card storage anymore, notwithstanding that our largest customers say that 3D Secure hurts their business and are prepared to do battle with CC Companies to allow their sites to not invoke those checks (although I'm surprised that anyone is large enough to say to a CC Company "We won't accept your cards if you insist on this", but we have been asked to removed cards specifically when this has happened ... mine not to reason why!)Much better to just use a third party ("3D Secure") gateway that takes the payment and you never get to see / store the card details.If your clients are small you could use PayPal - that allows buyers to just use a Credit Card (if they don't have a PayPal account) - although IMHO the PayPal API is a nightmare to work with, the cost of testing for us is huge compared to other gateways we use, and given how many customers eBay must have using it I would have expected the testing processes on eBay to be much more streamlined. |
|
|
|
|
|
|
|
|
Data Encrption