What are the PCI rules to follow for storing credit card numbers in a database?
1) is this allowed?
2) if so, what rules do we have to follow?
Im looking at this site https://www.pcisecuritystandards.org/security_standards/index.php
which document should I be reading here?
1) Yes, it is allowed but very, very discouraged. Having this information in your database makes you an extremely attractive target for hackers. And if you think you can protect it, think again. Hackers have defeated the security of companies with excellent security. Your security won't be any better.
2) You have to follow the PCI rules outlined in this guide. But you may find this guide easier to understand. Go to page 14 for what you need to know. Basically you can store it but it has to be encrypted according to PCI standards. Your server and network also must be secure. If any piece of the puzzle is not PCI compliant you cannot store the credit card numbers. That rules out most shared hosting companies as a solution.
This is not a direct answer, but a suggestion. Please don't downvote; I'm just trying to be helpful. After much experience with PCI compliance, I strongly suggest you avoid having credit card information on your systems if at all possible.
The approach we have used (with great success) is Tokenization. There are services that will collect and store your credit card information for you. You make an API call to get a token, generally a hash of some kind, which represents the credit card's primary account number. When you want to bill the card, you pass the token and other transaction details, and they process they payment.
Here is an straightforward article about the process:
http://www.creditcards.com/credit-card-news/tokenization-to-fight-credit-card-id-theft-1282.php
There are lots of options for this these days:
https://www.adyen.com/blog/tokenization-payment-technology-guide
http://www.elementps.com/software-providers/security/pass/
http://www.cybersource.com/products_and_services/payment_security/payment_tokenization/
For more information on that approach you can use the Google Search: Credit Card Tokenization.
You can but it's expensive to do.
You need to have DNS provided by another service or a dedicated DNS server.
You need to have a dedicated server running your SQL Server database and nothing else.
You need to use PCI approved software.
Your Database server needs to be within the same Data center as your Web Server else you will have poor performance.
So it's best to either host your site on a PCI secure host or setup your servers as I described.
Related
What is the best practice to pass sensitive information like password/secret from angular to Webapi?
Should we need to hash/encrypt them at the client before sending to webapi?
Having https:// protocol would be enough to pass the sensitive information over the wire without encrypting?
Let me know your thoughts.
using https is encrypting
SSL is secure socket layer and uses various encryption algorithms (configured on the web server) in order to encrypt any communication and it is the best means of protecting information. Any data sent to the client is compromised and so encryption in the browser (JS not native) is typically considered not worth while.
Suggest going to letsencrypt and setting up certbot to get/renew your certificates, it also helps with server configuration. You may also want to look into general "server hardening guides" on linux I also use a program called lynis on the server side to help audit/lock things down. There are also companies that will evaluate the hash algorithms your server is allowing in order to verify it isn't using any algorithms that are known to have exploits (like heartbleed), typically the companies are advertised as "PCI certification" companies but the tests are basically all automated. (PCI is payment card industry or visa/mastercard secruity best practices, if not followed and data is lost you may be considered more liable if you are not following PCI rules/suggestions)
Following general security best practices and writing code that is not subject to SQL injection will put you ahead of most unfortunately but there are no silver bullets to security (same as performance):
https://www.intellectual-tech.com/blog/web-security-ch-1
I have a quick question based on database security.
I am looking to make a page that will require login details and once granted access will allow the user to change things such as name, address, phone number etc.
As long as the username and password is properly secure the information in the following pages will be safe right?
There is nothing I have to do like encrypting that information because it is behind the wall which is the login area. Or, are there other ways people can access database that I will need to consider?
Also can someone point me in the direction of a good way to do encryption. I have looked at using md5. Is that the best/easiest way to encrypt password and sensitive information.
Thanks
Q: "As long as the username and password is properly secure the information in the following pages will be safe right?
and
Q: "Also can someone point me in the direction of a good way to do encryption. I have looked at using md5. Is that the best/easiest way to encrypt password and sensitive information."
A: No, web security is not that simple. For example, an SQL injection bug will allow somebody to retrieve your whole database, including the "encrypted" [sic] information and non-encrypted information. But the standard way of storing password information is not by using "encryption" but instead some type of hashing (terminology differs from place to place, I'll get to that more in a moment).
As for how to do this properly, the two best sources are:
CrackStation.Net
Thomas Pornin
I'm partial to Thomas Pornin's description, as he is a real cryptographer who understands the issues better than anybody else. He has a number of posts about this on StackOverflow: you can can Google for it (I can't post more than 2 links since I am a new member here). Note also the Pornin points out the terminology abuse that everybody is making on this subject ("encryption", "key derivation function", etc...).
Please, please, don't make the mistake of using MD5!
Q: "Or, are there other ways people can access database that I will need to consider?"
A: An excellent book on this subject is Cryptography in the Database: the last line of defense. Think about: where are you backups stored -- how secure are they? Can system and database administrators always be trusted? What happens if there is some type of vulnerability in your system (such as SQL injection or remote file inclusion) that allows an attacker to get inside information? What about the threat of physical data theft? How about development staff -- do they get access to the database?
So really, it is not an easy question, and it takes a considerable amount of study to get a realistic understanding of the issues. Your company should have a security architect to help analyze your system and develop the right solution for it.
At the most simplistic level if you code something like select <columns> from <table> where <key columns> = <verified name> then yes, only the values matching the login will be displayed. However, the Bad People will look for ways to get data by going around your application, not by using it, up to and including stealing the DB server itself. You need to understand the whole variety of risks you face and make a call on what you're willing to do to address each, and which you are willing to just accept.
Imagine that you want to design a tennis booking system.
You have 5 tennis clubs as partners with no online api allowing you to check on their side if a court is booked or not: You have to build this part as well.
Every time a booking is done on their side you want it to be known by our system. Probably using a POST request form tennis partner to our server.
Every time a booking is done on our website, we want to push the booking to their system. The difficulty is that their system need to be online and accessible from outside. Ip may change, we have to use a dns updater.
In case their system is not available we still accept the booking and fallback to an async email with 'i confirm booking/reject booking' link sent to the club.
I find the whole process quite complex and was wondering about the way online hotel booking system and hotel were working. Do they all have their data open and online ?
The good thing is that the data will grow large and fits nicely to some no SQL ;) like couch db
There are several questions here, let me try and address each one...
Since this appears to be an internet application with federated servers, using the implied HTTP Protocol makes a lot of sense. This could be done via Form POSTs, GET, or even REST-ful submission of some custom data structure. In the end, the exact approach to use will need to come down to the size and complexity of the information being communicated. Many architectures employ these approaches and often combine them with encrypted, signed, and/or encoded payloads for security. One short-fall to consider with these approaches is that they will require you to clearly communicate all request / response message formats, field ranges, and variations since these mechanisms are not really self-describing. On the other hand, these patterns use very common protocols, are easily understood, easy to implemented, and are typically lean on-the-wire.
In constrast, architectures with very complex structures often chose to use WSDL-based web services. Also driven by common standards, these tend to be self-describing, inherently versionable, although they can take more time and energy to implement. There are a lot of advantanges to web services which are driven by many WS-* standards which may be worth investigating further in your case.
As for the reservation process... many similar architectures will employ an orchestration model such as the following:
Find open booking spaces
Make a reservation for a booking space. This places an expiring lock on a space while the requestor fills in all required booking information. This mitigates against race conditions that could lead to multiple bookings for the same space
Once all required booking information is received and validated the booking is confirmed and permamently locked from use by other requestors
As for the SQL-style DB comment, I can't really say given the amount of information supplied. With that said, my instincts tell me a SQL-style DB is completely reasonable for this problem set. I have databases with many pedabytes and have very high SLA's. You implied a need for high availability and SQL-based databases have a few decades of proven support behind them in this area.
Hope this helps.
I think you will find most on-line hotel reservation systems aren't really on-line. My experience is that those companies (not the hotels themselves) offering on-line booking systems also insist that the hotel itself also books their rooms on-line using the same system.
Everything works fine as long as connectivity is not an issue - and in small motels scenario it normally will. Of course the bigger hotels use the same system the airlines do and they have dedicated communications links for the purpose. The reservations are of course maintained on one central computer with appropriate backup links etc etc etc.
It is very easy for individual tennis clubs to offer their own real-time online booking systems using their own database/website with programs like MyCourts offers however once you want to link more than one clubs facilities then you really don't have much option other than to have a centralized server that both the user and the club both have to use to reserve facilities.
Our clients must pay a monthly Fee... if they don't, what is the best way to block the asp.net software usage?
Note: The application runs on the client own server, its not a SaaS app...
My ideas are:
Idea: Host a Web Service on the internet that the application will use to know if the client can use the software.
Issue 1 - What happen if the client internet fails? Or the data center fails?
Possible Answer: Make each web service access to send a key that is valid for 7 or 15 days, so each web service consult will enable the software to run more 7 or 15 days, this way the application will only be locked after 7 or 15 days without consulting our web service.
Issue 2 - And if the client don't have or don't want to enable internet access to the application?
Idea 2: Send a key monthly to the client.
Issue - How to make a offline key?
Possible Answer: Generate a Hash using the "limit" date, so each login try on software will compare the today hash with the key?
Issue 2 - Where to store the key?
Possible Answer: Database (not good, too easy to change), text file, registry, code file, assembly...
Any opinion will be very appreciated!
Ah, the age old issue of DRM. And that's what you're talking about here. Frankly, the fundamental answer to your question is: you can't. No matter what you do to the system, it can be hacked and modded in such a way that your DRM authentication scheme can be bypassed and/or broken.
This is a fundamental fact of software development: it can and will be pirated.
So, the answer to your question is that you will have to trust the client to pay you the fees you determine to be correct (which is the whole point of contracts in this situation).
Any other actions you take are a hardship and annoyance on your paying customer, and has the potential to erode your customer base.
Now, if you want control of your software in the nature described, then do not provide it to users to run on their own servers. Force them to be SaaS. In that way, you control all of that. But this is the only way.
Something that you don't appear to be thinking about, but I have seen networks which do not allow any type of "dial home" solutions, as a majority of the systems were internally focused and thus these internal servers were NOT allowed to contact the outer internet. At all. It was deemed a security risk to even allow them access. How would you handle those networks?
Frankly, if I was the customer, and I paid my fees to license your software (which I installed on my own device) I would be irate if I had to allow that device access to the internet in order for it to work. Doubly so, if the software in question was any type of financial management, customer management, HR management, quality management, inventory management, sales, or just anything related to my business, customers or employees. I don't trust software developers enough to have their software talk to something else when my business-relevant data is held in their software.
In the end, what you are describing is an antagonistic approach to take with your paying customers. If you don't believe me, look at the comments that UbiSoft is getting for their latest customer-hating DRM scheme.
IMO, you have two good paths here:
Go SaaS
Ensure your contract has a
bite for non-payment
usually you provide an scrambled key that includes a valid authorization token and the expiration date through which service is paid. Then the installer will use this to "activate" your software. Not sure how this would be viewed if you have 1-2 week periods. you'd want to warn them about upcoming expiration. Also not sure how to tell if they've set their own clock back.
In short, nothing will be perfect.
I've dealt with this before and its not possible to make a perfect system. There are risks in anything you do. The best thing is to weigh your options, and determine the method that has the least likelihood of being hacked and the most likelihood of working correctly and easily for the customer.
Like others have said, they could change their clock and invalidate the license checking mechanism. If you didn't trust the user, you could make the license system connect to your servers. You would then need to ensure that they always have a connection to your servers to check the license.
What if there is a valid reason that they cannot access your server?
Their internet connection has a problem.
YOUR internet connection has a problem.
In that case, should you disable the application? Probably not. But then again, what if they shut down the connection on purpose? Then you would WANT to disable the application.
If you give them a monthly key, you're adding a monthly annoyance and you may lose a customer after a while (people tend to do business with those who make it easy).
For example: If you base it on their clock, and the application needs their clock to be accurate for some reason, then its unlikely that the customer will change their clock.
I agree with Stephen but ultimately, I think that your contract is your best ally here.
As been previously mentioned, you don't want to inconvenience customers, especially if you have a large deployment.
As for SaaS, if I were a customer using your product and you said that the model is changing and we need to access the software from your server and ours must be decommissioned, I'd not be happy. I'd probably use the opportunity to switch packages.
In corporate settings, the contract really is the best way to handle these issues. I've worked on licensing issues for desktop and ASP.NET applications and they can cause a number of headaches for both you and your client.
However, if you insist on using something like this I suggest you go with a middle ground. Instead of only unlocking the application for a week or two, provide a license for 6 months or a year. This way, if you run into licensing issues (and you will run into issues) they only occur once a year rather than a couple of times per month. That will be cheaper for you in support and your clients will be less unhappy about dealing with licensing issues. If the company stops paying and you need to terminate the license you can handle that on a one-off basis, using contract enforcement as needed.
On the web service or client license options, I think a good license system would incorporate both. A client license to provide a the application a stable license and a web service to generate and deliver the license key when it is time for the application to be renewed. If the client won't allow the application to call home to get the license key also provide a manual entry method.
If you are going to store a license on the client, do not try to build a component yourself. There are many components available which will be much more robust and reliable than the one you build. There is a .NET .licx-based licensing method and a number of 3rd party methods that you can use. Which one is most appropriate depends on your scenario: how flexible you want the license and what other options you need. Most importantly, find something reliable - any time your customers spend fixing problems caused by licensing is non-productive for them and will reflect poorly on the application.
The important thing to keep in mind is that no system is fool proof. If your application is valuable, someone is going to figure out how to steal it. But at the corporate level and with custom software it's more likely the licensing will be used to remind people to pay rather than stop wholesale piracy.
I was wondering if there are any standards for encrypting sensitive data in Database which are compliant w/ SOX or HIPAA. Or does the Encrypt Function in SQLServer necessary?. or handle in Business logic.
Any ideas or links we have.
First, Google for HIPAA Compliance
Then, read articles like this one: http://www.developer.com/java/ent/article.php/3301011/HIPAA-Security-Rule---What-Software-Developers-Should-Know.htm
And this http://www.hipaa.ihs.gov/index.cfm?module=compliance_packet
Finally, talk to your company's legal counsel. Failure to properly safeguard PHI will cost your company millions when you lose a lawsuit because your entire HIPAA compliance strategy was based on responses on StackOverflow.
At one company I was at, compliance in protecting credit cards they created a key and then destroyed that hard drive with a sledgehammer, so that no one could get the information that went into creating that key.
Though they were using the Oracle DB they created their own key to encrypt the credit cards.
For HIPAA compliance I would not trust any encryption done by the database, as it may not have the security that you need, and your company is on the hook for any failures.
Your best bet is to control the key yourself, and not have the key in the database, or server.
Have the key required to be input when the application or server application starts up, but, as S.Lott pointed out, your legal counsel will need to be involved in reviewing the design to make certain that all the issues are covered.
SQL Server 2008 cryptographic API is certified for Common Criteria compliance: Common Criteria Certification.