Re: Creditcard Number Security was Re: Encrypted column - Mailing list pgsql-general

From Richard P. Welty
Subject Re: Creditcard Number Security was Re: Encrypted column
Date
Msg-id 46686499.9060103@averillpark.net
Whole thread Raw
In response to Re: Creditcard Number Security was Re: Encrypted column  (Guy Fraser <guy@incentre.net>)
Responses Re: Creditcard Number Security was Re: Encrypted column
Re: Creditcard Number Security was Re: Encrypted column
List pgsql-general
Guy Fraser wrote:
> On Tue, 2007-06-05 at 16:51 -0400, Andrew Sullivan wrote:
>
>> Yes.  I agree, in principle, that "don't store them" is the best
>> advice -- this is standard _Translucent Databases_ advice, too.  For
>> the least-stealable data is the data you don't have.
>>
>> But if there is a business case, you have to do the trade off.  And
>> security is always a tradeoff (to quote Schneier); just do it well.
>> (Someone else's advice about hiring a security expert to audit this
>> sort of design is really a good idea.)
>>

> Have you thought about setting up an account with PayPal, and having
> people pay through PayPal?
>
> Let PayPal deal with the security, and credit card info, after all it's
> what they do.
>
at the day job, when we switched from paypal (who we found very
undependable)
to authorize.net, we were very pleased to discover that authorize.net
would take
care of the credit card numbers for us, so we didn't have to try to
secure them beyond
the usual requirements while the numbers are in transit.

i would definitely recommend outsourcing for this if at all possible.

richard


pgsql-general by date:

Previous
From: "John D. Burger"
Date:
Subject: Re: querying the age of a row
Next
From: Jerry Sievers
Date:
Subject: Re: Join field values