[nycphp-talk] Mom and Pop CC Security
Hans Zaunere
zaunere at yahoo.com
Mon Jul 22 14:02:49 EDT 2002
There are of course many variables, but here are some things I've run
into, dealing with medical data:
--- Jim Musil <jim at nettmedia.com> wrote:
> Let's say a user fills in his/her credit card number into a web form
> and then submits the form via https to a secure server.
Assuming proper configuration, this should be as solid as one would
expect.
> The user's order and credit card info are stored in a mySQL database.
How does the data get from webserver -> MySQL? Same physical box?
Encrypted? We've been looking at MySQL 4.x for p-t-p SSL encryption.
> Then, the owner of the site goes to a dynamic page which also lives
> on the same secure server. This page lists all the orders and the
> credit card numbers.
Is the owner's access via SSL as well? Is his computer secure? Is his
computer shared by anyone/in a public area? Is the data cached at all
(browser/proxy)?
> The owner then processes the credit card order by hand in hes/her
> shop and deletes and marks the order as processed.
Of course security is only as good as the people that use the system!
> What security holes exist in this scenario?
This is just a start. How secure are the boxes themselves? The
network? Are they running latest/secured php/apache/ssh/etc? Physical
security? Who has access/administers them? Are the backup tapes/media
secured, physically?
This may pedantic, but we've been dealing with medical data, and thus
HIPPA regulation, so I'm learning to be extremely anal about things.
HZ
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
More information about the talk
mailing list