Re: [cobalt-security] Credit card

["Steve Werby" <steve-lists@xxxxxxxxxxxx>]

"duncan gray" <duncanrobertgray@xxxxxxxxx> wrote:
> So really the main issue is getting the information off the server
> as soon as possible, so if for some reason you were hacked,
> they only get 1 number, or none as youve already removed them.

I wouldn't even want to risk someone accessing a single credit card number.
If someone hacks into the server they'll be able to access all of the credit
card info you store in plain text, regardless of how long the data stays on
the drive.  All that's needed is a process that monitors for new credit card
info and records it or emails it somewhere.  Sure, the hacker might only be
able to get info. from one transaction at a time, but that isn't going to
make you look any better when you're hacked and the info. is stolen.

> I'm sure holding CC details on the server would be more secure
> then the office next door, where all some one has to do is brake
> a window(ok yeah just an example), take the reciepts. etc. Or
> just look over someones shoulder when they are making a
> payment somewhere.

Well, if your server is connected to the Internet, then it's possible for an
intruder to be located anywhere on the planet.  If the credit card info. is
in your office the potential intruders are a little more geographically
restricted.  <g>  Seriously, in any case it's advisable to take the proper
precautions.  If you process the credit card info. yourself then it's
advisable to encrypt it using gnupg or pgp and either keep no
paper/electronic trail of unencrypted info. or keep it very, very secure and
definitely off your server.  Otherwise it's worth considering using a
reputable 3rd party credit card processing company so you never have or need
to have the credit card info. yourself.  My 2 cents.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/