January 8, 2010 at 6:57 am
Hi experts,
I maintain a order entry system that consists of an access front end with SQL2K back end. My company recently started accepting credit card payments. The sales team does need to keep the credit card info on file for a while after the order is entered. I created a stored procedure that deletes the info after 30 days but it is still being stored and saved during db backups. This is not a web app (yet), and all the data stays "in house", but I'm still nervous about saving credit card info.
What is the recommended way to secure/encrypt this type of data?
January 8, 2010 at 7:43 am
I would probably encrypt and decrypt in the application, before it ever gets sent to the database. That way, it's not even plain-text on the network between the two. Probably best if that's done through a compiled DLL, not through a script in the Access app, since those are a little too easy to get into and get the encryption key from.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
January 8, 2010 at 7:52 am
If you are on SQL 2000, I'd use GSquared's idea and make sure that you secure the keys well that are used in the DLLs. If you have them protected well, and they encrypt on the web server, it provides some level of security.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply