Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Kaler
Starting Member
4 Posts |
 Posted - 2012-03-09 : 10:33:09
|
| I am just wondering what is the recommended way to go about storing credit/debit card details on a sql database and provide adequate security to items such as the 16 digit number on the card. Any help would be appreciated as I am new to trying this. |
|
|
Kristen
Test
22859 Posts |
Posted - 2012-03-09 : 10:50:54
|
| You'd be better off not to store them at all, and use an external service (such as ProtX / Sagepay) to handle them for you (and do the 3D Secure etc.)If you are storing them it raises issues with getting your security clearance from the CCard company (there's a name for that clearance, sorry mind gone blank for the moment and forgotten the Jargon).perhaps I should turn this round and ask why you want to store CCard No, rather than process off-site? |
 |
|
|
X002548
Not Just a Number
15586 Posts |
|
|
uberman
Posting Yak Master
159 Posts |
Posted - 2012-03-09 : 10:56:26
|
| There will be all sort of compliance issues, data protection issues... think about things like... what happens if someone walks off with my servers? Will they be able to decrypt the data? What do I do when the security is compromised and the credit card numbers are posted all over the internet?I agree fully with Kristen; the words "storing credit/debit card details" and "...I am new to trying this" just don't go together. |
|
|
|
Kaler
Starting Member
4 Posts |
Posted - 2012-03-11 : 05:47:03
|
| This is actually a fictional site for a college project so no actual credit card details for real people are going to be used as I am learning. The reason I posted the question was to get feedback on which way is the best way to actually go about and deal with these matters as I am in the design stage of creating my SQL tables and wanted to start off on the right foot:) |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2012-03-11 : 06:57:31
|
| The best way it not to store them at all. Store the last 4 digits, store the authorisation code that you get back from the credit card processing company. What you don't store can't be stolen. Yes, that means that the customer must enter a credit card number on each purchase. Minor inconvenience for much better security and much lower risk.If for whatever reason they have to be stored, then they need strong encryption in the front end app or middle tier. Don't use SQL encryption, anyone with sysadmin or db_owner permissions can decrypt columns encrypted with key or certificate. Then you get into all the fun and games around key management and protection (and that's really not fun)--Gail ShawSQL Server MVP |
|
|
|
|
|
|
Debit/Credit Card security