From: | Andrei Kovalevski <andyk(at)commandprompt(dot)com> |
---|---|
To: | Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> |
Cc: | Michelle Konzack <linux4michelle(at)tamay-dogan(dot)net>, pgSQL - General <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: How to design a "customer" TABLE which hold credit card infos and other payments? |
Date: | 2008-11-07 15:22:22 |
Message-ID: | 49145D2E.9080500@commandprompt.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hello,
Scott Marlowe wrote:
> On Thu, Nov 6, 2008 at 2:43 PM, Michelle Konzack
> <linux4michelle(at)tamay-dogan(dot)net> wrote:
>
>> ************************************************************************
>> * Do not Cc: me, because I READ THIS LIST, if I write here *
>> * Keine Cc: am mich, ich LESE DIESE LISTE wenn ich hier schreibe *
>> ************************************************************************
>>
>
> Sorry, it's how this list works. If you don't want that, there are
> some options for majordomo you can set to alleviate the issue. I'm
> not changing how I reply to the list just for you.
>
>
>> Hello,
>>
>> I am coding a new OnlineStore (the existing ones fit not my needs, are
>> to complicate to use or simply closed source and too expensive e.g.
>> InterShop) with an integrated powerful ledger.
>>
>> So now it comes to infos about Credit Cards, PayPal and friends...
>>
>
> If you are storing credit card data then you must follow the PCI
> standards for doing so. Look them up on the web and get a copy.
> Failure to follow their security guidelines will result in you not
> being allowed to process or handle credit cards.
>
> That said, the best way to store them is to not store them. If you
> still have to, then use some kind of encryption using the user's
> password as part of the key, and don't store the user's password, only
> an md5 of it. Also, store the password on one machine, encrypted, do
> the encryption decryption on another machine
Try to avoid storing any card and card holder info, and you definitely
shouldn't keep in DB the whole data required to authorize transaction.
Just take in mind how dangerous this info could be in case of security leak.
--
Andrei Kovalevski
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
Managed Services, Shared and Dedicated Hosting
Co-Authors: PL/php, ODBCng - http://www.commandprompt.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Bruno Lavoie | 2008-11-07 16:15:43 | Importing text file into a TEXT field |
Previous Message | Scott Marlowe | 2008-11-07 14:51:37 | Re: Database access over the Internet... |