View Full Version : Securely Storing Credit Card Details

08-07-2008, 12:00 PM
I am Looking for advice on how to store credit card details securely.
I am about to develop a new website (details being finalized). The project consists of a website that requires a users credit card details to be stored to a database. Unfortunately there is no way around this (I tried to advise against storing the details - but this is a mandatory part of the business). The site requires mysql and php.

So far I have the following:

- use an ssl-ev certificate on the webserver (xampp)
- store the mysql database on another server (also xampp) and restrict permissions depending on the action taking place.
- use 256bit php encryption, and hashing for passing variables and clean mysql data (mysql_real_escape_string) before submitting it to the database.

(The site is a public site and the owners want to stay away fro the username password route for clients).

The system is for a company that claims back credit card charges. Users enter personal information and add credit card details so that the company can claim back the credit card charges. Therefore they need to store the details but users never need to access the system again (hence no login information). I was thinking of only giving the website 'write' permissions. The data can then be accessed internally only - by staff (who Will have to login to access the data). I was going to restrict access to the internal website by only allowing internal IP addresses (192.168.*.*).

I've read that amazon use a seperate server connected via a serial port because it is easy to analyse the data being passed through and check why it is being accessed. Anyone know how you would check the information being passed through the serial port?

I believe the servers will be behind a sonicwall hardware firewall.

I should also add that there are no actual transactions taking place. All transactions are delt with offline. The system just needs to be secure to hold the personal and credit card data.

I have a 256bit encryption alogithm for storing details. I was going to use sourceGuardian or similar to encode the key and php files (probably pre-encrypt the key first as well).

Does anyone have any other/more ideas on how to ensure security on the above - or perhaps a different process?
Have I missed anything?