security - Collecting Credit Card Information - not to collect payment -

-

i working in php on linux server mysql.

i have requirement (that have attempted talk them out of) collect credit card information users our company can use card numbers hold hotel rooms conference. not charging cards ourselves @ all, instead sending them hotel. need able download csv file , each time signs email go admin information.

i tried explain wasn't secure, several other developers have done them in past before working here.

my question is; there anyway make secure? if not there third party options make happen?

edit:

i appreciate has posted far, has made me want attempt less , less. if add answers simple explanations, oriented @ non-tech people, appreciated, in fact site source , links me great deal. haven't found sites explain in non-tech way.

it's bad idea storing card details. you're opening world of pain in form of pci-dss audits. not simple 'use encryption', need have processes in place securely manage encryption keys, schedule key rotation, securely log access , on , on... storing card details absolutely want avoid.

if have have in place, best option may (as company) take payments credit cards own merchant account, pay hotels separately (from bank account/whatever). act proxy client making payment hotel.

most payment gateways allow store card details securely, , charge @ later date (using token id returned gateway), useful here. wont able retrieve card details pass them through hotel in way, why need take payment, organise separate payment hotel.

its still quite undertaking though because lot of areas of pci-dss come play simplified solution.

you asked, here more information:

pci-dss payment card industry data security standard. it's set of guidelines apply company 'touches' cardholder data, in particular card number. touching literally means handling of data, having pass through network without ever being persisted disk enough mandate must comply, (though easier if don't persist details disk)

you didn't yet state part of world you're in, or how these card details captured (internet/telephone/in person). these details significant how can achieve compliance.

start taking @ pci-dss saq (self assessment questionnaires). these saq's minimum requirements companies do not store cardholder details disk, , should give impression of security needs in place across network , policies should applied across company.

as said, if you're thinking of storing card details things more complicated, because general rule saq no longer enough. need enrol assistance of qsa (qualified security assessor) visit , advise on best practice data storage , various other points come play. level of compliance you're looking @ yearly audits (carried out qsa), , quarterly network scans. take @ audit procedures detailed @ involved. in particular take @ section 3 , not underestimate difficulty of implementing proper key management.

in summary, full pci compliance costly. company already has pretty strong security policies cost of bringing in qsa , running quarterly scans , yearly audits alone cost $thousands.


Comments

Post a Comment

Popular posts from this blog

C#: Application without a window or taskbar item (background app) that can still use Console.WriteLine() -

-
i'm trying create application adheres following: no taskbar no console or form window can utilize console.writeline() . (i.e. if executes app command prompt write console.) the problem if create windows form (or wpf) application can have there no taskbar, console or window show up, console.writeline() nothing. if create console app, writes console, can't figure out how hide (and if did hide it, write command prompt window?)... how do this? just create standard console application. callers responsibility hide window caused program (from how run c# console application console hidden ): system.diagnostics.processstartinfo start = new system.diagnostics.processstartinfo(); start.filename = dir + @"\myprocesstostart.exe"; start.windowstyle = system.diagnostics.processwindowstyle.hidden;
Read more

c++ - Convert big endian to little endian when reading from a binary file -

-
this question has answer here: how convert between big-endian , little-endian values in c++? 28 answers i've been looking around how convert big-endian little-endians. didn't find solve problem. seem there's many way can conversion. anyway following code works ok in big-endian system. how should write conversion function work on little-endian system well? this homework, since systems @ school running big-endian system. it's got curious , wanted make work on home computer also #include <iostream> #include <fstream> using namespace std; int main() { ifstream file; file.open("file.bin", ios::in | ios::binary); if(!file) cerr << "not able read" << endl; else { cout << "opened" << endl; int i_var; double d_var; while(!file.eof()) {...
Read more

openssl - Load PKCS#8 binary key into Ruby -

-
i'm trying load particular private key encoded in binary der format ( pkcs#8 ) ruby. however, openssl::pkey won't recognize it. can make work doing console work , transforming pem so: openssl pkcs8 -inform der -in file.key -passin pass:xxxxxxxx >private_key.pem after this, key can correctly read. however, since whole process done in memory instead of writing , reading files. so question is: possible load private keys binary encoded der format ruby/openssl? thank time, fernando yes, can indirectly load pkcs#8 der-encoded private keys using ruby openssl. openssl::pkey::rsa.new handle pem-formatted pkcs#8, easy read binary der , convert pem-formatted string , load string. for example, these der-encoded private keys: $ openssl genrsa | openssl pkcs8 -topk8 -outform der \ -nocrypt -out pkcs8.key $ openssl genrsa | openssl pkcs8 -topk8 -outform der \ -v2 des3 -passout pass:secret -out pkcs8_des3.key you can this: require 'open...
Read more