Is MySQL secure enough to store credit card numbers on?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • crunch42
    Member
    • Feb 2005
    • 43

    Is MySQL secure enough to store credit card numbers on?

    I've read elsewhere that it's not a good idea to store credit card numbers within MySQL when you're on a shared hosting environment, because even if the numbers are encrypted, and even if you have SSL, another person on the shared host could use SSH to read your php files to find your mysql login, and also find out how you encrypted those card numbers, and then those stored cards would be available to them.

    Anyone know if this is this true with dathorn's servers (ie can we read each other's files somehow)?

    - Julian
  • Buddha
    Senior Member
    • Mar 2004
    • 825

    #2
    The account number, expiration date, and name are the only elements of track data that may be retained if held in a CISP-compliant manner .
    The question should be weather Dathorn is a CISP compliant service provider? We'd all be paying a lot more if Dathorn was CISP compliant. Of course, merchants also must be CISP compliant too.
    "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

    Comment

    • AndrewT
      Administrator
      • Mar 2004
      • 3653

      #3
      IMO, you should never store credit card information in any shared hosting environment, regardless of format.

      Comment

      • Elite
        Senior Member
        • Apr 2004
        • 168

        #4
        The best way to handle this is to use a 3rd party processor to store and process the card details - that way they take on the responsibility and risk of storing those details

        Comment

        • crunch42
          Member
          • Feb 2005
          • 43

          #5
          Of course, merchants also must be CISP compliant too.
          When you say must, do you mean this is a legal requirement, or is it a requirement if you want to conform to Visa's TOS, or maybe it's just a good idea?

          Comment

          • Elite
            Senior Member
            • Apr 2004
            • 168

            #6
            Originally posted by crunch42
            When you say must, do you mean this is a legal requirement, or is it a requirement if you want to conform to Visa's TOS, or maybe it's just a good idea?
            From the link Buddha gives above:

            How CISP compliance works

            CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Compliance with CISP means compliance with the PCI Data Security Standard with the required program validation. The Payment Card Industry (PCI) Data Security Standard offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs.
            So only if you want to process visa cards

            Out of interest, why do you need to store the card number?

            Comment

            • crunch42
              Member
              • Feb 2005
              • 43

              #7
              I'm a web developer who has a client with an online store, and they're using a shopping cart (Digishop) that has an option for storing credit card numbers. The client wants to enable this option so that repeat customers (of which they have many) have one less thing to type when submitting orders.

              Comment

              • Elite
                Senior Member
                • Apr 2004
                • 168

                #8
                Ah ok - I think the pros are out weighed by the cons:

                Pros
                Card holder doesn't have to enter card number more than once

                Cons
                Security: What if the database is compromised? - the company could be responsible for an enormous amount of fraud
                If someone was to obtain the customers login details for the website could they order using the card number, or worse maybe be able to view the customers card details?

                You may also want to consider how you will handle the CVV code - As you cannot store this, I assume you would need to get this from the card holder on every transaction

                HTH

                Comment

                • crunch42
                  Member
                  • Feb 2005
                  • 43

                  #9
                  Good point. However the maxim, "the client gets what the client wants" overrides most considerations. I'll inform them of the risks and make them sign a waiver stating I'm not responsible if someone breaches security, and if they still want to go ahead then it's their liability (plus I'll use a dedicated server and all the security "tricks" I know).

                  Comment

                  • Elite
                    Senior Member
                    • Apr 2004
                    • 168

                    #10
                    Originally posted by crunch42
                    Good point. However the maxim, "the client gets what the client wants" overrides most considerations. I'll inform them of the risks and make them sign a waiver stating I'm not responsible if someone breaches security, and if they still want to go ahead then it's their liability (plus I'll use a dedicated server and all the security "tricks" I know).
                    Sounds like a plan

                    Comment

                    • Grunfeld
                      Senior Member
                      • Mar 2004
                      • 209

                      #11
                      Originally posted by crunch42
                      Good point. However the maxim, "the client gets what the client wants" overrides most considerations. I'll inform them of the risks and make them sign a waiver stating I'm not responsible if someone breaches security, and if they still want to go ahead then it's their liability (plus I'll use a dedicated server and all the security "tricks" I know).

                      Good Luck with the waiver, I am sure some lawyer out there will love charging you to draw one up, however it will not hold water for a second.. Your client is heading for a heap of trouble.... however I suspect you know this ....
                      Cheers,

                      Gary
                      (This space for rent)

                      Comment

                      • Buddha
                        Senior Member
                        • Mar 2004
                        • 825

                        #12
                        Originally posted by crunch42
                        When you say must, do you mean this is a legal requirement, or is it a requirement if you want to conform to Visa's TOS, or maybe it's just a good idea?
                        Well I'm a little late and Elite has already answered the question. However, I used CISP because it had better references ... I could Google it faster. There's also Mastercard's SDP program. They're both based on Payment Card Industry (PCI) Data Security Requirements though.

                        You might want to point out the fines for non-compliance and actual data loss. All it takes is the lose of a single card number. Of course, the programs usually only monitor the large merchants.
                        Originally posted by crunch42
                        Good point. However the maxim, "the client gets what the client wants" overrides most considerations. I'll inform them of the risks and make them sign a waiver stating I'm not responsible if someone breaches security, and if they still want to go ahead then it's their liability (plus I'll use a dedicated server and all the security "tricks" I know).
                        Originally posted by Grunfeld
                        Good Luck with the waiver, I am sure some lawyer out there will love charging you to draw one up, however it will not hold water for a second.. Your client is heading for a heap of trouble.... however I suspect you know this ....
                        I'm with Grunfeld, if you can't scare them straight then it's time to part company.

                        IMO, you should never store credit card information in any shared hosting environment, regardless of format.
                        I totally agree and it can't be said often enough.
                        Last edited by Buddha; 10-18-2006, 06:53 AM.
                        "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

                        Comment

                        • james
                          Senior Member
                          • Mar 2004
                          • 183

                          #13
                          The web sites that I have developed for customers in the past deals with credit card numbers by:

                          - Only storing the middle 8 digits of the credit card number in a mysql orders database. Expiry date is also stored. If they require CVV, it is NOT stored.

                          - Emailing the the first 4 and last 4 digits of the credit card number to a designated (off server) email address. This email contains a link to the online administration area, which once logged in with a username and password, allows the staff members to view the order details and the middle 8 digits.

                          In this case, in order to obtain credit card numbers, a hacker must have access to this (off server) email address, and also have access to the mysql database.

                          What does everyone think of this idea?

                          crunch42, you could always store only half the user's credit card, as well as the expiry date. This way, when they do another order they only have to enter half of the card number, and possibly the CVV if you want to save this.

                          Comment

                          • Buddha
                            Senior Member
                            • Mar 2004
                            • 825

                            #14
                            Originally posted by james
                            In this case, in order to obtain credit card numbers, a hacker must have access to this (off server) email address, and also have access to the mysql database.
                            Or they could just attack the computer used to access admin page - this computer probably has access to both sources of information and is probably a lot weaker than the server. Hackers always follow the path of least resistance.
                            "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

                            Comment

                            • james
                              Senior Member
                              • Mar 2004
                              • 183

                              #15
                              Yes, that is true. It would only be a risk if they had their password saved for the admin login page.

                              If this did happen, however, I would think that my client would be at fault, not me. I would hope that I have done enough, and that my client's laziness has caused the hacker to gain access.

                              Comment

                              Working...