All geek questions in one place

What are some guidelines for handling sensitive information?

I am currently creating an application for a client that will allow them to automatically pay their customers' credit cards.

I am curious about the best practices to safely store and access credit card information and, for that matter, any other confidential information such as social security numbers, account numbers, etc. on the.

I use on the assumption that some type of encryption will be used, but before I go deeper, I wanted to see how others handle these types of requirements.

Not important, but we are developing software using Microsoft SQL Server for the database and using C # and ASP.NET.

+4
source share
6 answers

Read PCI requirements . Everything will be there.

Actually, you must follow them.

+5
source

1 - do not even collect SSNs if you really do not need them. And if you are not a bank or government, most likely you do not.

2 - do not collect other confidential information if you really need

3 - use any appropriate controls (a separate computer for the database, firewall, access control, etc.) for what you really need to save.

+3
source

Use aggressive standards to protect the host system, both in terms of OS and physical security, such as NSA recommendations .

Put the database on a separate system from a web server or other functions to prevent physical access and escalation of permissions.

Defend your defense to avoid SQL injection attacks and similar exploits.

When developing, first use a security program. Going back and applying security will be difficult and error prone.

Try to separate the different parts of the application ... i.e. do not use the same viewer or controller to access "shared" and "private".

Know and abide by all local laws regarding the processing of this data ... There are a lot of them.

Keep the envelope offer around to notify your customers in case of violation. If you lose information for 26 million customers, you may not be able to purchase enough envelopes to comply with legal timeframes to notify them of a violation.

+3
source

I don't want to - I mean, do you really need to?

There is a strong market for third-party payment services that can receive information for you and simply send you a message when the payment has been made. There are alternatives such as PayPal, and you can protect data with MD5 or SHA1 - discarding little things like an exact string of numbers.

+1
source

Different applications require compliance with various PCI standards. If your application simply collects CC numbers and then sends them to a third-party PCI-compatible payment gateway, your compliance requirements are not so bad - provided that you do not store the card number or CVV.

In terms of logging, you should β€œindicate” a credit card number, for example. keep the first 6 digits and the last 3 digits, but obscure the intermediate digits. Do not record CVV at all.

The standard PCI documents are detailed, but it all depends on the requirements of your application regarding what level of compliance you require.

+1
source

Be close with OWASP threats and know exactly how to counter them in your application and within. It's hard to believe that many people cover silly half-solutions for SQL Injection and cross-site Scripting attacks.

0
source

Source: https://habr.com/ru/post/1277589/

More articles:


All Articles