Geek Answers Handbook

Credit card information, what precautions should be taken?

We do not store credit card information. It is collected through an HTML form, then it is processed by a PHP script that uses Intuit's API to pay for a credit card. After calling the API to pay for the card, all credit card information is deleted.

Here are my questions regarding the security of credit card information:

  • I assume SSL is required. Is it correct?
  • Should I switch from shared hosting to a dedicated server?
  • I assume that there is no encryption, which is not easily reversible, what can be the place between the HTML form and the PHP script, do I need to use any encryption for what I'm trying to do?

If there is anything else you might think, share it. Thank you for your time.

+4
source share
4 answers

I assume SSL is required. Is it correct?

Yes, right.

Should I switch from shared hosting to a dedicated server?

VPS to a minimum is a very good idea. You are probably not compatible with a PCI-compatible host on a shared host; you just don’t have enough control to lock your server on PCI request.

I assume that the encryption is absent is not easy and not reversible, what can happen between the HTML form and the PHP script, should any encryption be used for what I am trying to do?

Your API should take care of this. Make sure the API also supports SSL / Secure connection.

Please read the PCI requirements. You are transferring cardholder data, so you MUST FOLLOW PCI. You will be at the “lowest level” of matching (I think this is C or D). You will also need to perform quarterly checks on your IP server to prove compliance. Like FYI, I use McAffee Secure for this.

The only way you will not abide by the PCI rules is that the cardholder data is entered on a foreign server (I think: paypal). Whenever you pay by PayPal, you are transferred to the PayPal server and then transferred back. In this scheme, you do not need to be compatible.

Currently, many PCI requirements speak of some things that are not applicable in the question (i.e. your server is stored in a safe place, how physically safe your building is, etc.) - the good news is that your server / hosting company must handle with this.

After scanning the network, a list of things will appear that will make you incompatible. They are almost always connected to the server. You can either fix them yourself or ask your host to help you - most hosts will do this if you send them a list. You cannot fix them on shared hosting.

+4
source

Your questions addressed in order

  • Yes, even when connecting to the API, which should be the only option
  • This is a good idea, less exposure to security. You will be less likely to see a compromised tenant compromising your site.
  • As long as you do not store or cache data in any form and do not use SSL for transit, you will not have to implement encryption in your application.

PCI requirements may apply.

0
source

1) I would serve the entire page via HTTPS so that users do not receive the alarm message "some resources are not protected"

2) Depends on integration, if Intuit has provided you with an iframe or form action to use, then sensitive data never reaches your server. the user either types and / or sends it directly for intuition with his page, just like a container.

If this is true:

3) You do not need to transfer PCI compliance. Intuit has already done. Sensitive data never reaches your server, so it costs nothing there.

4) A shared or dedicated site does not really matter, since you do not go through or store confidential information.

0
source
  • SSL: Yes, of course. Between your server and client, and between you and the API.

  • Dedicated Hosting: Ideally, yes. There are two problems with shared hosting:

    • Everything that is stored in the session can potentially be obtained by other users on the server.
    • A breach of security on a site, not even yours, may result in a violation of your rights.


    This is primarily the area of ​​your host’s security policies and is not easily identified by PCI scans.

0
source

More articles:


All Articles