e-commerce security requirements

olechka

Hi....
I am lost and confused in the world of security.
I am developing an online store (PHP/MySQL) and my client wouldn't listen to the voice of reason and wants to store credit card numbers on the server. We already have 2 machines (one is DB and one is webserver) connected by privatenet and a firewall.... What I need to do is to explain technicians in the datacenter how to set it all up - which ports to close, which processes to kill etc - and I am really clueless...

What I don't understand is what will stop hackers from breaking into the webserver and then writing a tiny script that will just dump the whole DB on them - because webserver has the permissions to connect to the DB server... 🙁

Another thing is encryption. I've seen suggestions that credit card number should be encryted with something permanent - like username - as a key, but the username is stored in the same DB, so what good is that?? Would it be better to store the CC# in a separate database (but still on the same machine as all the other data)?

I know I am asking a lot of questions so really I would be more than happy if someone could point me to good resources (books, sites etc) on the subject.

Thanks a lot!

ednark

one security method is to make several different Mysql users,

each with different GRANTed permissions on certain tables

you can be creative with this to assure that certain areas are unreadable.

this is one step closer to secure.

michael

Encrypt data against something you feel secure.

I would think nothing less would be acceptable.

If you only need to verify the CC#, use a hash. If you have to have it in the future, encrypt it. This is still very dangerous thought.