I'm currently creating an application for a customer that will allow them to automatically bill their customers credit cards.
我目前正在为客户创建一个应用程序,允许他们自动向客户收取信用卡账单。
I'm curious as to what are some best practices to safely store and access the credit card information, and for that matter, any other sensitive information, like social security numbers, account numbers and so on.
我很好奇什么是安全存储和访问信用卡信息的最佳做法,以及任何其他敏感信息,如社会安全号码,帐号等。
I'm assuming encryption of some type will be employed, but before I dig in too deep I wanted to see how others are handling these types of requirements.
我假设将使用某种类型的加密,但在我深入挖掘之前,我想看看其他人如何处理这些类型的要求。
Not that it matters, but we are designing the software using Microsoft SQL Server for the database, and using C# and ASP.NET.
这并不重要,但我们正在使用Microsoft SQL Server为数据库设计软件,并使用C#和ASP.NET。
6 个解决方案
#1
5
Read the PCI requirements. Everything will be there.
阅读PCI要求。一切都会在那里。
Actually, you must follow them.
实际上,你必须遵循它们。
#2
3
1 - don't even collect SSNs unless you really need them. And unless you're a bank or the government, chances are you don't.
1 - 除非你真的需要它们,否则甚至不收集SSN。除非你是银行或*,否则你可能不会。
2 - don't collect other sensitive info unless you really need to
2 - 除非你真的需要,否则不要收集其他敏感信息
3 - use whatever controls are appropriate (separate machine for the database, firewalled, access controlled, etc) for the stuff youdo really need to keep.
3 - 使用任何适当的控件(数据库,防火墙,访问控制等单独的机器),你真正需要保留的东西。
#3
3
Use aggressive standards to secure the host system both in terms of OS and physical security, such as the NSA guidelines.
使用积极的标准来保护主机系统的操作系统和物理安全性,例如NSA指南。
Put the database on a separate system from the web server or other functions to prevent physical access and permission escalation exploits.
将数据库放在与Web服务器或其他功能不同的系统上,以防止物理访问和权限升级漏洞利用。
Program defensively to avoid SQL injection attacks and similar exploits.
防御程序以避免SQL注入攻击和类似的攻击。
When developing, program with security in mind first. Coming back afterwards and applying security will be difficult and error prone.
在开发时,首先考虑安全性。之后回来并应用安全性将是困难且容易出错的。
Try to separate the various parts of the application... i.e. don't use the same viewer or controller for "public" access and "private" access.
尝试分离应用程序的各个部分...即不要使用相同的查看器或控制器进行“公共”访问和“私有”访问。
Be aware of and comply with all local laws regarding handling of this data... There are a lot of them out there.
请注意并遵守有关处理此数据的所有当地法律......其中有很多。
Keep a supply of envelopes around to notify your customers in the event of a breach. If you lose information for 26 million customers, you might not be able to acquire enough envelopes to meet the legal timeframe for notifying them of a breach.
保持信封供应,以便在发生违规时通知您的客户。如果您丢失了2600万客户的信息,您可能无法获得足够的信封以满足通知他们违规的法定时间。
#4
1
Different PCI standards compliance is required for different applications. If your application simply collects CC numbers and then submits them to a 3rd party PCI compliant payment gateway, your compliance requirements aren't too bad - provided you don't store the card number or CVV.
不同的应用需要不同的PCI标准兼容性。如果您的应用程序只是收集CC号码然后将其提交给第三方PCI兼容支付网关,那么您的合规性要求也不会太差 - 前提是您没有存储卡号或CVV。
In terms of logging, you should "gut" the credit card number, e.g. retain the first 6 digits and last 3 digits but obscure the intermediate digits. Do not log CVV at all.
在记录方面,您应该“消除”信用卡号码,例如保留前6位数字和后3位数字但隐藏中间数字。根本不记录CVV。
The PCI standard documents go into great detail, but it all depends on the requirements of your application as to what level of compliance you require.
PCI标准文档非常详细,但这完全取决于应用程序的要求,即您需要什么级别的合规性。
#5
1
Don't - I mean, do you really need to?
不 - 我的意思是,你真的需要吗?
There is a strong market of third party payment services who can receive the details for you and simply send a you a message when payment has been made. There are alternates like PayPal and you can protect the data with MD5 or SHA1 - discarding trivia such as the exact string of digits.
有一个强大的第三方支付服务市场,他们可以为您收到详细信息,只需在付款后向您发送消息。有像PayPal这样的替代品,您可以使用MD5或SHA1保护数据 - 丢弃琐事,例如精确的数字字符串。
#6
0
Be intimate with the OWASP threats and know precisely how to counter them in your application and framework. It's hard to believe how many people embrace goofy half-solutions to SQL Injection and cross-site Scripting attacks.
与OWASP威胁密切相关,并准确了解如何在您的应用程序和框架中对抗它们。很难相信有多少人对SQL注入和跨站点脚本攻击采用愚蠢的半解决方案。
#1
5
Read the PCI requirements. Everything will be there.
阅读PCI要求。一切都会在那里。
Actually, you must follow them.
实际上,你必须遵循它们。
#2
3
1 - don't even collect SSNs unless you really need them. And unless you're a bank or the government, chances are you don't.
1 - 除非你真的需要它们,否则甚至不收集SSN。除非你是银行或*,否则你可能不会。
2 - don't collect other sensitive info unless you really need to
2 - 除非你真的需要,否则不要收集其他敏感信息
3 - use whatever controls are appropriate (separate machine for the database, firewalled, access controlled, etc) for the stuff youdo really need to keep.
3 - 使用任何适当的控件(数据库,防火墙,访问控制等单独的机器),你真正需要保留的东西。
#3
3
Use aggressive standards to secure the host system both in terms of OS and physical security, such as the NSA guidelines.
使用积极的标准来保护主机系统的操作系统和物理安全性,例如NSA指南。
Put the database on a separate system from the web server or other functions to prevent physical access and permission escalation exploits.
将数据库放在与Web服务器或其他功能不同的系统上,以防止物理访问和权限升级漏洞利用。
Program defensively to avoid SQL injection attacks and similar exploits.
防御程序以避免SQL注入攻击和类似的攻击。
When developing, program with security in mind first. Coming back afterwards and applying security will be difficult and error prone.
在开发时,首先考虑安全性。之后回来并应用安全性将是困难且容易出错的。
Try to separate the various parts of the application... i.e. don't use the same viewer or controller for "public" access and "private" access.
尝试分离应用程序的各个部分...即不要使用相同的查看器或控制器进行“公共”访问和“私有”访问。
Be aware of and comply with all local laws regarding handling of this data... There are a lot of them out there.
请注意并遵守有关处理此数据的所有当地法律......其中有很多。
Keep a supply of envelopes around to notify your customers in the event of a breach. If you lose information for 26 million customers, you might not be able to acquire enough envelopes to meet the legal timeframe for notifying them of a breach.
保持信封供应,以便在发生违规时通知您的客户。如果您丢失了2600万客户的信息,您可能无法获得足够的信封以满足通知他们违规的法定时间。
#4
1
Different PCI standards compliance is required for different applications. If your application simply collects CC numbers and then submits them to a 3rd party PCI compliant payment gateway, your compliance requirements aren't too bad - provided you don't store the card number or CVV.
不同的应用需要不同的PCI标准兼容性。如果您的应用程序只是收集CC号码然后将其提交给第三方PCI兼容支付网关,那么您的合规性要求也不会太差 - 前提是您没有存储卡号或CVV。
In terms of logging, you should "gut" the credit card number, e.g. retain the first 6 digits and last 3 digits but obscure the intermediate digits. Do not log CVV at all.
在记录方面,您应该“消除”信用卡号码,例如保留前6位数字和后3位数字但隐藏中间数字。根本不记录CVV。
The PCI standard documents go into great detail, but it all depends on the requirements of your application as to what level of compliance you require.
PCI标准文档非常详细,但这完全取决于应用程序的要求,即您需要什么级别的合规性。
#5
1
Don't - I mean, do you really need to?
不 - 我的意思是,你真的需要吗?
There is a strong market of third party payment services who can receive the details for you and simply send a you a message when payment has been made. There are alternates like PayPal and you can protect the data with MD5 or SHA1 - discarding trivia such as the exact string of digits.
有一个强大的第三方支付服务市场,他们可以为您收到详细信息,只需在付款后向您发送消息。有像PayPal这样的替代品,您可以使用MD5或SHA1保护数据 - 丢弃琐事,例如精确的数字字符串。
#6
0
Be intimate with the OWASP threats and know precisely how to counter them in your application and framework. It's hard to believe how many people embrace goofy half-solutions to SQL Injection and cross-site Scripting attacks.
与OWASP威胁密切相关,并准确了解如何在您的应用程序和框架中对抗它们。很难相信有多少人对SQL注入和跨站点脚本攻击采用愚蠢的半解决方案。