[UPHPU] Is https enough?
Ben Reece
breece at doba.com
Wed Jun 13 16:55:38 MDT 2007
Lamont Peterson wrote:
> On Wednesday 13 June 2007 01:35am, Brandon Stout wrote:
>
>> Orson Jones wrote:
>>
>>> https is perfectly fine. The thing that worries, is what happens after it
>>> hits the server. (is it stored in an unencrypted format, is it stored
>>> longer than necessary, is it transmitted elsewhere securely? etc.)
>>>
>>> Orson
>>>
>> I agree. However, if encrypted properly in the database, is there a
>> "longer than necessary"? Once on their server, perhaps it's less secure
>> to have to request the card number again than to keep the number
>> encrypted on the server.
>>
>
> Remember, there is no such thing as being secure. It's all just trade-offs
> and risk management. So, for each application, one has to decide if the
> trade-offs are better one way or the other. It might well be better for one
> application to keep the encrypted card numbers in the DB but not worth it for
> another to have to deal with those encryption keys.
>
As far as credit cards are concerned, the payment card industry (PCI)
has very specific ideas about what is secure. If you're interested you
can take a look at
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf -- it's a
pretty comprehensive take on the whole thing. I bring it up because one
of their requirements is that card numbers must be "protected" (read:
encrypted) anywhere they're stored electronically.
The PCI people (Visa, etc.) will revoke your ability to accept credit
cards if they audit you and find you wanting, though they tend to audit
only larger volume businesses (millions of dollars per year).
-Ben
More information about the UPHPU
mailing list