3

I'm a newbie when it comes to security. I've read posts that mentioned that encryption alone doesn't make an app,website or database secure.

I'm also new to certificates and stuff. I've barely touched these things but I'm gonna create a website that connects to my local testing database for the purpose of testing the security and as temporary playground.

It's basically like UBER. I want to prevent the server/database from being accessed and to prevent data from being stolen, what kind of security system do I actually need for this type of website or service?

PS: Currently I'm using Bitnami WAPP stack. I use Apache/PHP combined with PostgreSQL.

Joshua Rajandiran
  • 2,788
  • 7
  • 26
  • 53
  • 1
    It's probably safer to engage a payment processor and let them handle credit card and bank details. (Uber also does that) – Thilo May 18 '16 at 04:35
  • Okay, then in the case where I want to prevent the server/database from being accessed and to prevent data from being stolen, what kind of security system am I supposed to look at? – Joshua Rajandiran May 18 '16 at 04:42
  • Regardles of which safety measururments recomndations you will find here or elsewhere you should check for your country regulations about saving sensetive data. I can tell you that in my country there are laws about it and if someone hacks a database and steal credit card numbers any person can sue the owner of that database for bridge of confidence – java May 18 '16 at 07:15
  • @Joshua you can use tokenization, in addition of hashing and encryption for storing card information in db. Hash and Token both are irreversible, that's why you'll need encrypted data for processing. The db should be wrapped under secure application. And both application and db should be separate from business applications and business db. It'll be great if they are in different LAN or VPN under firewall with JSON Token Security, HTTPS and Controlled Access with authorized User Name, Server Mac Address/IP and Business Application Name. – emkays May 26 '16 at 19:10
  • You can also look for threat modeling and vulnerabilities scan for both db and application. – emkays May 26 '16 at 19:14

2 Answers2

1

Only store credit card details in your server when you can't rely on a third party. A safe way is having credit card details stored encrypted using public key cryptography using your password-protected private key, so you can reveal the credit card details on your personal machine (e.g. via javascript libraries on your web-based application) by holding the private key file and entering the password. That way the credit card details are never stored anywhere, and only visible by you and anyone you authorise by giving your private key file and password.

Ezequiel Tolnay
  • 4,302
  • 1
  • 19
  • 28
  • Is this method good enough even for large database systems that holds millions of accounts? – Joshua Rajandiran May 18 '16 at 07:42
  • Size of the database is not an issue. The issue would be the size of the enterprise (i.e. the people involved in accessing that encrypted data), and the complexity of operations required to be done involving accessing unencrypted credit card information. In general, proper (i.e. professionally managed and monitored) firewall and database security, coupled with encryption at rest is sufficient for enterprises. For small companies and individuals, public key cryptography (with private keys held in personal computers) is sufficient and perfectly secure, even for hosted databases. – Ezequiel Tolnay May 18 '16 at 07:49
0

Using third parties like Braintree or Stripe is a highly recommended idea. Let their big teams of security experts deal with the security side of things. That way, even you and your employees can't see customers' credit card details (only the last 4 digits), but you can still charge them via the third party. Customers appreciate knowing there info is safe.

I'd rather give my card details to PayPal and let 100 companies use PayPal to charge me, instead of giving my card details to 100 companies.

Mirror318
  • 11,875
  • 14
  • 64
  • 106